Intentando crear una política de Kyverno que requiera ciertos valores de matriz. Tienen ejemplos de "mapas", como etiquetas, pero no vi nada específicamente sobre matrices.
Aquí hay un Application
recurso de muestra:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentication
namespace: openshift-gitops
spec:
destination:
server: 'https://kubernetes.default.svc'
project: cluster-config
source:
path: cluster-config/authentication
repoURL: 'https://example.com/scm/gitops/openshift-prod-cluster.git'
targetRevision: master
syncPolicy:
automated:
selfHeal: true
retry:
backoff:
duration: 15s
factor: 2
maxDuration: 5m
limit: 15
syncOptions:
- ServerSideApply=true
- Validate=false
- FailOnSharedResource=true
Este es mi último intento, pero ambas reglas fallan en todas las aplicaciones:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-server-side-sync
annotations:
policies.kyverno.io/title: Use Server-Side Sync
policies.kyverno.io/category: Argo
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Application
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
By default, Argo CD executes `kubectl apply` operation to apply the configuration stored in Git.
This is a client side operation that relies on `kubectl.kubernetes.io/last-applied-configuration` annotation to
store the previous resource state. However, using server-side sync avoids issues with `kubectl.kubernetes.io/last-applied-configuration`
growing so large that it breaks standard syncing, and allows patching of existing cluster resources that are not fully
managed by Argo. Certain patch yamls may not be "valid" according to their resource definition and will need client-side
validation to be disabled in order to work. (`kube-api` will still perform server-side validation of the patched resource before applying the change.)
spec:
validationFailureAction: Audit
background: true
rules:
- name: enable-server-side-sync
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
Server-side sync option must be enabled.
pattern:
- spec:
syncPolicy:
^(syncOptions):
- ServerSideApply: true
- name: disable-client-side-validation
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
client-side validation must be disabled
pattern:
- spec:
syncPolicy:
syncOptions:
- Validate=false
Entonces, ¿cuál es la mejor manera de exigir un valor de matriz?
Respuesta1
Desafortunadamente, elAncla de existenciaActualmente no admite una matriz de cadenas, solo una matriz de objetos. He creado una mejora para agregar esto. Por ahora, puede usar una declaración de denegación con una expresión JMESPath simple para verificar que sus cadenas estén presentes.
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: require-server-side-sync
spec:
validationFailureAction: Enforce
background: true
rules:
- name: enable-server-side-sync
match:
any:
- resources:
kinds:
- Application
validate:
message: Server-side sync option must be enabled.
deny:
conditions:
all:
- key: ServerSideApply=true
operator: AnyNotIn
value: "{{ request.object.spec.syncPolicy.syncOptions[] }}"
- name: disable-client-side-validation
match:
any:
- resources:
kinds:
- Application
validate:
message: client-side validation must be disabled
deny:
conditions:
all:
- key: Validate=false
operator: AnyNotIn
value: "{{ request.object.spec.syncPolicy.syncOptions[] }}"