-
Notifications
You must be signed in to change notification settings - Fork 784
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
16dc96b
commit b268935
Showing
4 changed files
with
104 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Require certain labels | ||
|
|
||
| In many cases, you may require that at least a certain number of labels are assigned to each Pod from a select list of approved labels. This sample policy demonstrates the [`anyPattern`](https://kyverno.io/docs/writing-policies/validate/#anypattern---logical-or-across-multiple-validation-patterns) option in a policy by requiring any of the two possible labels defined within. A pod must either have the label `app.kubernetes.io/name` or `app.kubernetes.io/component` defined. | ||
|
|
||
| ## Policy YAML | ||
|
|
||
| [require_certain_labels.yaml](best_practices/require_certain_labels.yaml) | ||
|
|
||
| ```yaml | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: require-certain-labels | ||
| spec: | ||
| validationFailureAction: audit | ||
| rules: | ||
| - name: validate-certain-labels | ||
| match: | ||
| resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required." | ||
| anyPattern: | ||
| - metadata: | ||
| labels: | ||
| app.kubernetes.io/name: "?*" | ||
| - metadata: | ||
| labels: | ||
| app.kubernetes.io/component: "?*" | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # Require labels | ||
|
|
||
| Labels are a fundamental and important way to assign descriptive metadata to Kubernetes resources, especially Pods. Labels are especially important as the number of applications grow and are composed in different ways. | ||
|
|
||
| This sample policy requires that the label `app.kubernetes.io/name` be defined on all Pods. If you wish to require that all Pods have multiple labels defined (as opposed to [any labels from an approved list](RequireCertainLabels.md)), this policy can be altered by adding an additional rule block which checks for a second (or third, etc.) label name. | ||
|
|
||
| ## More Information | ||
|
|
||
| * [Common labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/) | ||
|
|
||
| ## Policy YAML | ||
|
|
||
| [require_labels.yaml](best_practices/require_labels.yaml) | ||
|
|
||
| ```yaml | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: require-labels | ||
| spec: | ||
| validationFailureAction: audit | ||
| rules: | ||
| - name: check-for-labels | ||
| match: | ||
| resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: "The label `app.kubernetes.io/name` is required." | ||
| pattern: | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/name: "?*" | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: require-certain-labels | ||
| spec: | ||
| validationFailureAction: audit | ||
| rules: | ||
| - name: validate-certain-labels | ||
| match: | ||
| resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required." | ||
| anyPattern: | ||
| - metadata: | ||
| labels: | ||
| app.kubernetes.io/name: "?*" | ||
| - metadata: | ||
| labels: | ||
| app.kubernetes.io/component: "?*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: require-labels | ||
| spec: | ||
| validationFailureAction: audit | ||
| rules: | ||
| - name: check-for-labels | ||
| match: | ||
| resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: "The label `app.kubernetes.io/name` is required." | ||
| pattern: | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/name: "?*" |