특정 배열 값이 필요한 Kyverno 정책을 만들려고 합니다. 레이블과 같은 "맵"에 대한 예제가 있지만 배열에 대해서는 특별히 아무것도 보지 못했습니다.
샘플 Application
리소스는 다음과 같습니다.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentication
namespace: openshift-gitops
spec:
destination:
server: 'https://kubernetes.default.svc'
project: cluster-config
source:
path: cluster-config/authentication
repoURL: 'https://example.com/scm/gitops/openshift-prod-cluster.git'
targetRevision: master
syncPolicy:
automated:
selfHeal: true
retry:
backoff:
duration: 15s
factor: 2
maxDuration: 5m
limit: 15
syncOptions:
- ServerSideApply=true
- Validate=false
- FailOnSharedResource=true
이것은 나의 최근 시도이지만 모든 응용 프로그램에서 두 규칙 모두 실패합니다.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-server-side-sync
annotations:
policies.kyverno.io/title: Use Server-Side Sync
policies.kyverno.io/category: Argo
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Application
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
By default, Argo CD executes `kubectl apply` operation to apply the configuration stored in Git.
This is a client side operation that relies on `kubectl.kubernetes.io/last-applied-configuration` annotation to
store the previous resource state. However, using server-side sync avoids issues with `kubectl.kubernetes.io/last-applied-configuration`
growing so large that it breaks standard syncing, and allows patching of existing cluster resources that are not fully
managed by Argo. Certain patch yamls may not be "valid" according to their resource definition and will need client-side
validation to be disabled in order to work. (`kube-api` will still perform server-side validation of the patched resource before applying the change.)
spec:
validationFailureAction: Audit
background: true
rules:
- name: enable-server-side-sync
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
Server-side sync option must be enabled.
pattern:
- spec:
syncPolicy:
^(syncOptions):
- ServerSideApply: true
- name: disable-client-side-validation
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
client-side validation must be disabled
pattern:
- spec:
syncPolicy:
syncOptions:
- Validate=false
그렇다면 배열 값을 요구하는 가장 좋은 방법은 무엇입니까?
답변1
불행히도,존재앵커현재 문자열 배열은 지원하지 않고 객체 배열만 지원합니다. 이것을 추가하기 위해 개선 사항을 만들었습니다. 지금은 간단한 JMESPath 표현식과 함께 거부 문을 사용하여 문자열이 있는지 확인할 수 있습니다.
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: require-server-side-sync
spec:
validationFailureAction: Enforce
background: true
rules:
- name: enable-server-side-sync
match:
any:
- resources:
kinds:
- Application
validate:
message: Server-side sync option must be enabled.
deny:
conditions:
all:
- key: ServerSideApply=true
operator: AnyNotIn
value: "{{ request.object.spec.syncPolicy.syncOptions[] }}"
- name: disable-client-side-validation
match:
any:
- resources:
kinds:
- Application
validate:
message: client-side validation must be disabled
deny:
conditions:
all:
- key: Validate=false
operator: AnyNotIn
value: "{{ request.object.spec.syncPolicy.syncOptions[] }}"