-
Notifications
You must be signed in to change notification settings - Fork 791
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* added check for any/all Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * minor corrections Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * corrected return check for rbac info Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * added cli test Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
- Loading branch information
1 parent
2572236
commit df4d7ae
Showing
4 changed files
with
57 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
name: test-exclude | ||
policies: | ||
- policy.yaml | ||
resources: | ||
- resources.yaml | ||
results: | ||
- policy: restrict-labels | ||
rule: restrict-labels | ||
resource: kyverno-system-tst | ||
kind: Namespace | ||
result: fail |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-labels | ||
labels: | ||
policy.schiff.telekom.de: enforced | ||
annotations: | ||
policies.kyverno.io/title: Restrict Labels on Namespaces | ||
policies.kyverno.io/category: Labels | ||
policies.kyverno.io/minversion: 1.3.0 | ||
policies.kyverno.io/description: >- | ||
This policy prevents the use of an label beginning with a common | ||
key name (in this case "platform.das-schiff.telekom.de/owner | owner"). This can be useful to ensure users either | ||
don't set reserved labels or to force them to | ||
use a newer version of an label. | ||
spec: | ||
validationFailureAction: enforce | ||
background: false | ||
rules: | ||
- name: restrict-labels | ||
match: | ||
resources: | ||
kinds: | ||
- Namespace | ||
exclude: | ||
clusterRoles: | ||
- cluster-admin | ||
validate: | ||
message: 'Every namespace has to have `platform.das-schiff.telekom.de/owner` label. It must not have value `das-schiff` which is reserved for system namespaces' | ||
pattern: | ||
metadata: | ||
labels: | ||
platform.das-schiff.telekom.de/owner: "!das-schiff" | ||
# For forward compatibility | ||
=(schiff.telekom.de/owner): "!schiff" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: kyverno-system-tst | ||
labels: | ||
name: kyverno-system-tst | ||
schiff.telekom.de/owner: schiff | ||
platform.das-schiff.telekom.de/owner: das-schiff |