-
Notifications
You must be signed in to change notification settings - Fork 784
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1247 from chipzoller/main
Create sample policies for labels
- Loading branch information
Showing
8 changed files
with
206 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Require certain labels | ||
|
||
In many cases, you may require that at least a certain number of labels are assigned to each Pod from a select list of approved labels. This sample policy demonstrates the [`anyPattern`](https://kyverno.io/docs/writing-policies/validate/#anypattern---logical-or-across-multiple-validation-patterns) option in a policy by requiring any of the two possible labels defined within. A pod must either have the label `app.kubernetes.io/name` or `app.kubernetes.io/component` defined. | ||
|
||
## Policy YAML | ||
|
||
[require_certain_labels.yaml](best_practices/require_certain_labels.yaml) | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-certain-labels | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: validate-certain-labels | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required." | ||
anyPattern: | ||
- metadata: | ||
labels: | ||
app.kubernetes.io/name: "?*" | ||
- metadata: | ||
labels: | ||
app.kubernetes.io/component: "?*" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Require deployments have multiple replicas | ||
|
||
Deployments with only a single replica produce availability concerns should that single replica fail. In most cases, you would want Deployment objects to have more than one replica to ensure continued availability if not scale. | ||
|
||
This sample policy requires that Deployments have more than one replica excluding a list of system namespaces. | ||
|
||
## More Information | ||
|
||
* [Kubernetes Deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) | ||
|
||
## Policy YAML | ||
|
||
[require_deployments_have_multiple_replicas.yaml](more/require_deployments_have_multiple_replicas.yaml) | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: deployment-has-multiple-replicas | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: deployment-has-multiple-replicas | ||
match: | ||
resources: | ||
kinds: | ||
- Deployment | ||
exclude: | ||
resources: | ||
namespaces: | ||
- kyverno | ||
- kube-system | ||
- kube-node-lease | ||
- kube-public | ||
validate: | ||
message: "Deployments must have more than one replica to ensure availability." | ||
pattern: | ||
spec: | ||
replicas: ">1" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Require labels | ||
|
||
Labels are a fundamental and important way to assign descriptive metadata to Kubernetes resources, especially Pods. Labels are especially important as the number of applications grow and are composed in different ways. | ||
|
||
This sample policy requires that the label `app.kubernetes.io/name` be defined on all Pods. If you wish to require that all Pods have multiple labels defined (as opposed to [any labels from an approved list](RequireCertainLabels.md)), this policy can be altered by adding an additional rule block which checks for a second (or third, etc.) label name. | ||
|
||
## More Information | ||
|
||
* [Common labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/) | ||
|
||
## Policy YAML | ||
|
||
[require_labels.yaml](best_practices/require_labels.yaml) | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-labels | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: check-for-labels | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "The label `app.kubernetes.io/name` is required." | ||
pattern: | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: "?*" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-certain-labels | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: validate-certain-labels | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required." | ||
anyPattern: | ||
- metadata: | ||
labels: | ||
app.kubernetes.io/name: "?*" | ||
- metadata: | ||
labels: | ||
app.kubernetes.io/component: "?*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-labels | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: check-for-labels | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "The label `app.kubernetes.io/name` is required." | ||
pattern: | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: "?*" |
24 changes: 24 additions & 0 deletions
24
samples/more/require_deployments_have_multiple_replicas.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: deployment-has-multiple-replicas | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: deployment-has-multiple-replicas | ||
match: | ||
resources: | ||
kinds: | ||
- Deployment | ||
exclude: | ||
resources: | ||
namespaces: | ||
- kyverno | ||
- kube-system | ||
- kube-node-lease | ||
- kube-public | ||
validate: | ||
message: "Deployments must have more than one replica to ensure availability." | ||
pattern: | ||
spec: | ||
replicas: ">1" |