From 0ff1f8d20e20493af055f24bdd316955b71ff775 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?= <852750+sozercan@users.noreply.github.com> Date: Wed, 28 Feb 2024 21:36:39 -0800 Subject: [PATCH] docs: document constraint match.source (#3291) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sertac Ozercan Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Rita Zhang --- website/docs/expansion.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/website/docs/expansion.md b/website/docs/expansion.md index 4b2fb07ab45..43c816f7b09 100644 --- a/website/docs/expansion.md +++ b/website/docs/expansion.md @@ -12,7 +12,7 @@ title: Validating Workload Resources using ExpansionTemplate A workload resource is a resource that creates other resources, such as a [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) or [Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/). Gatekeeper can be configured to reject workload resources -that create a resource that violates a constraint. +that create a resource that violates a constraint. ## `ExpansionTemplate` explained @@ -165,6 +165,21 @@ setting the `Constraint`'s `spec.match.source` field to `Generated`. This can also be used to define different enforcement actions for expanded resources and original resources. +For example, suppose a cluster has a policy that blocks all [standalone pods](https://kubernetes.io/docs/concepts/configuration/overview/#naked-pods-vs-replicasets-deployments-and-jobs), but allows them to be created as part of a workload resource, such as `Deployment`. A user could create a `Constraint` that only targets original resources, like so: + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: block-standalone-pods +metadata: + name: block-standalone-pods +spec: + match: + source: Original + kinds: + - apiGroups: [""] + kinds: ["Pod"] +``` + ## Mutating Example Suppose a cluster is using Istio, and has a policy configured to ensure