创建了下面的集群策略,该策略阻止了所有在Docker标签中没有com.*****.os-policy.verified
的镜像,并且按预期工作。
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: disallow-host-namespaces
spec:
validationFailureAction: Enforce
background: false
rules:
- name: verify-oci-annotation
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Images must specify a source/base image from which they are built."
foreach:
- list: "request.object.spec.containers"
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
- name: ocisourcelabels
variable:
jmesPath: imageData.configData.config.Labels | keys(@)
default: []
deny:
conditions:
all:
- key: "com.*****.os-policy.verified"
operator: AnyNotIn
value: "{{ ocisourcelabels}}"
但是当我试图创建一个PolicyException
来跳过带有特定注解的部署策略时,它不起作用。
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
metadata:
name: delta-exception
namespace: test
spec:
exceptions:
- policyName: disallow-host-namespaces
ruleNames:
- verify-oci-annotation
- autogen-host-namespaces
match:
any:
- resources:
kinds:
- Pod
- Deployment
namespaces:
- test
我在应用Policyexcemption
后尝试了以下部署,但会失败
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
annotations:
*****.com-os-policy-internal-use: "true"
*****.com-os-policy-break-glass: "true"
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: junkimagename:latest
ports:
- containerPort: 80
但是,如果我尝试创建一个pod,
apiVersion: v1
kind: Pod
metadata:
name: badpod
namespace: default
annotations:
*****.com/os-policy.internal-use: "true"
*****.com/os-policy.break-glass: "true"
spec:
automountServiceAccountToken: false
containers:
- image: junkimagename:latest
name: node-exporter
如何在这个场景中编写PolicyException
,如果提供了特定的注解,它可以允许kind:Deployment
工作。
1条答案
按热度按时间wnvonmuf1#
可以用
preconditions
解决这个问题。这有助于消除添加excemptionpolicy
的需要在precondition中,我检查是否有为图像定义的注解,然后跳过此策略。
Example
: