Tentando criar uma política Kyverno que requer determinados valores de array. Eles têm exemplos de "mapas", como rótulos, mas não vi nada específico sobre arrays.
Aqui está um exemplo de Applicationrecurso:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentication
namespace: openshift-gitops
spec:
destination:
server: 'https://kubernetes.default.svc'
project: cluster-config
source:
path: cluster-config/authentication
repoURL: 'https://example.com/scm/gitops/openshift-prod-cluster.git'
targetRevision: master
syncPolicy:
automated:
selfHeal: true
retry:
backoff:
duration: 15s
factor: 2
maxDuration: 5m
limit: 15
syncOptions:
- ServerSideApply=true
- Validate=false
- FailOnSharedResource=true
Esta é minha última tentativa, mas ambas as regras falham em todos os aplicativos:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-server-side-sync
annotations:
policies.kyverno.io/title: Use Server-Side Sync
policies.kyverno.io/category: Argo
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Application
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
By default, Argo CD executes `kubectl apply` operation to apply the configuration stored in Git.
This is a client side operation that relies on `kubectl.kubernetes.io/last-applied-configuration` annotation to
store the previous resource state. However, using server-side sync avoids issues with `kubectl.kubernetes.io/last-applied-configuration`
growing so large that it breaks standard syncing, and allows patching of existing cluster resources that are not fully
managed by Argo. Certain patch yamls may not be "valid" according to their resource definition and will need client-side
validation to be disabled in order to work. (`kube-api` will still perform server-side validation of the patched resource before applying the change.)
spec:
validationFailureAction: Audit
background: true
rules:
- name: enable-server-side-sync
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
Server-side sync option must be enabled.
pattern:
- spec:
syncPolicy:
^(syncOptions):
- ServerSideApply: true
- name: disable-client-side-validation
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
client-side validation must be disabled
pattern:
- spec:
syncPolicy:
syncOptions:
- Validate=false
então qual é a melhor maneira de exigir um valor de array?
Responder1
Infelizmente, oÂncora de existênciaatualmente não suporta uma matriz de strings, apenas uma matriz de objetos. Eu criei um aprimoramento para adicionar isso. Por enquanto, você pode usar uma instrução deny com uma expressão JMESPath simples para verificar se suas strings estão presentes.
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: require-server-side-sync
spec:
validationFailureAction: Enforce
background: true
rules:
- name: enable-server-side-sync
match:
any:
- resources:
kinds:
- Application
validate:
message: Server-side sync option must be enabled.
deny:
conditions:
all:
- key: ServerSideApply=true
operator: AnyNotIn
value: "{{ request.object.spec.syncPolicy.syncOptions[] }}"
- name: disable-client-side-validation
match:
any:
- resources:
kinds:
- Application
validate:
message: client-side validation must be disabled
deny:
conditions:
all:
- key: Validate=false
operator: AnyNotIn
value: "{{ request.object.spec.syncPolicy.syncOptions[] }}"