Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable image substitution in the background mode #1846

Merged
merged 2 commits into from Apr 28, 2021
Merged

Enable image substitution in the background mode #1846

merged 2 commits into from Apr 28, 2021

Conversation

realshuting
Copy link
Member

@realshuting realshuting commented Apr 28, 2021
edited

Signed-off-by: Shuting Zhao shutting06@gmail.com

Related issue

Closes #1812.

What type of PR is this

/kind feature

Proposed Changes

Proof Manifests

The following policy has no background set, which means by default the policy will apply in the background mode.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-network-policy
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
spec:
  validationFailureAction: enforce
  rules:
  - name: require-network-policy
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Tag 'latest' is not allowed for 'nginx' container. "
      deny:
        conditions:
        - key: "{{ images.containers.nginx.tag}}"
          operator: Equals
          value: latest

I have 2 pods (nginx and nginx-8669ff8c97-fbcjr ) with nginx container in the cluster

✗ kg pod
NAME                             READY   STATUS    RESTARTS   AGE
example-6f7555bb94-7plf9         1/1     Running   0          19h
example-6f7555bb94-b545z         1/1     Running   0          19h
example-6f7555bb94-rvv9d         1/1     Running   0          19h
kyvernodeploy-5c74fc9dd6-8h2xj   1/1     Running   0          4d21h
myapp                            1/1     Running   0          12d
nginx                            1/1     Running   0          27m
nginx-8669ff8c97-fbcjr           1/1     Running   0          2d2h

You can see there are 2 violations in the policy report

✗ kg polr
NAME              PASS   FAIL   WARN   ERROR   SKIP   AGE
polr-ns-default   5      2      0      0       0      21m

Checklist

  • I have read the contributing guidelines.
  • [] I have added tests that prove my fix is effective or that my feature works.
  • [] My PR contains new or altered behavior to Kyverno and
    • [] I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

Further Comments

@realshuting
Enable image substitution in the background mode
85dde7e 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@realshuting
fix the unit test
e9c2d89 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@JimBugwadia JimBugwadia merged commit df6c896 into kyverno:main Apr 28, 2021
@realshuting realshuting deleted the background_image_properties branch April 28, 2021 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

Assignees

@JimBugwadia JimBugwadia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support image properties in the background mode
2 participants
@realshuting @JimBugwadia