Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
KEP-3488 ValidatingAdmissionPolicy: Enforcement actions, audit annota…
…tions, and secondary authz (#40098) * Document auditAnnotations, validationActions and authorizer * Apply suggestions from code review Co-authored-by: Qiming Teng <tengqm@outlook.com> * Apply suggestions from code review Co-authored-by: Tim Allclair <timallclair@gmail.com> * Apply feedback --------- Co-authored-by: Qiming Teng <tengqm@outlook.com> Co-authored-by: Tim Allclair <timallclair@gmail.com>
- Loading branch information
1 parent
40a6ff8
commit cf37b59
Showing
4 changed files
with
110 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
content/en/examples/access/audit-event-with-audit-annotation.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# the audit event recorded | ||
{ | ||
"kind": "Event", | ||
"apiVersion": "audit.k8s.io/v1", | ||
"annotations": { | ||
"demo-policy.example.com/high-replica-count": "Deployment spec.replicas set to 128" | ||
# other annotations | ||
... | ||
} | ||
# other fields | ||
... | ||
} |
15 changes: 15 additions & 0 deletions
15
content/en/examples/access/validating-admission-policy-audit-annotation.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: admissionregistration.k8s.io/v1alpha1 | ||
kind: ValidatingAdmissionPolicy | ||
metadata: | ||
name: "demo-policy.example.com" | ||
spec: | ||
failurePolicy: Fail | ||
matchConstraints: | ||
resourceRules: | ||
- apiGroups: ["apps"] | ||
apiVersions: ["v1"] | ||
operations: ["CREATE", "UPDATE"] | ||
resources: ["deployments"] | ||
validations: | ||
- key: "high-replica-count" | ||
valueExpression: "object.spec.replicas > 50 ? 'Deployment spec.replicas set to ' + string(object.spec.replicas) : null" |