MinIO+Vault+Kaniko+KrakenD+Istio
July 3, 2023

Kyverno. Policy label required.

Пример политики и работы с Kyverno.

Обязательная установка labels на поды.

cat <<EOF | kubectl apply -f -
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-for-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "label 'app.kubernetes.io/name' is required"
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"
EOF

Ошибка, вылетающая если создать под без нужного label.

Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request:

resource Pod/test/cam-nginx was blocked due to the following policies

require-labels:
  check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required.
    Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'

Посмотреть политики Kyverno.

kubectl get clusterpolicy.kyverno.io

kubectl get clusterpolicy.kyverno.io | grep "enforce"
require-labels                   true         enforce   true
kubectl get clusterpolicy.kyverno.io -owide
NAME                             BACKGROUND   ACTION    FAILURE POLICY   READY
disallow-capabilities            true         audit     Fail             true
disallow-host-namespaces         true         audit     Fail             true
disallow-host-path               true         audit     Fail             true
disallow-host-ports              true         audit     Fail             true
disallow-host-process            true         audit     Fail             true
disallow-privileged-containers   true         audit     Fail             true
disallow-proc-mount              true         audit     Fail             true
disallow-selinux                 true         audit     Fail             true
require-labels                   true         enforce   Fail             true
restrict-apparmor-profiles       true         audit     Fail             true
restrict-seccomp                 true         audit     Fail             true
restrict-sysctls                 true         audit     Fail             true

Дескрайб сзданной политики.

kubectl describe clusterpolicy.kyverno.io require-labels
Name:         require-labels
Namespace:
Labels:       <none>
Annotations:  pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob
API Version:  kyverno.io/v1
Kind:         ClusterPolicy
Metadata:
  Creation Timestamp:  2023-07-03T17:08:33Z
  Generation:          2
  Managed Fields:
    API Version:  kyverno.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:validationFailureAction:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2023-07-03T17:08:33Z
    API Version:  kyverno.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        f:rules:
    Manager:      kyverno
    Operation:    Update
    Time:         2023-07-03T17:08:33Z
    API Version:  kyverno.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:ready:
    Manager:         kyverno
    Operation:       Update
    Subresource:     status
    Time:            2023-07-03T17:08:39Z
  Resource Version:  16764995
  UID:               3e5e1c5c-531f-421c-afc1-e93697305131
Spec:
  Background:      true
  Failure Policy:  Fail
  Rules:
    Exclude:
      Resources:
    Generate:
      Clone:
    Match:
      Any:
        Resources:
          Kinds:
            Pod
      Resources:
    Mutate:
    Name:  check-for-labels
    Validate:
      Message:  label 'app.kubernetes.io/name' is required
      Pattern:
        Metadata:
          Labels:
            app.kubernetes.io/name:  ?*
    Exclude:
      Resources:
    Generate:
      Clone:
    Match:
      Any:
        Resources:
          Kinds:
            DaemonSet
            Deployment
            Job
            StatefulSet
      Resources:
    Mutate:
    Name:  autogen-check-for-labels
    Validate:
      Message:  label 'app.kubernetes.io/name' is required
      Pattern:
        Spec:
          Template:
            Metadata:
              Labels:
                app.kubernetes.io/name:  ?*
    Exclude:
      Resources:
    Generate:
      Clone:
    Match:
      Any:
        Resources:
          Kinds:
            CronJob
      Resources:
    Mutate:
    Name:  autogen-cronjob-check-for-labels
    Validate:
      Message:  label 'app.kubernetes.io/name' is required
      Pattern:
        Spec:
          Job Template:
            Spec:
              Template:
                Metadata:
                  Labels:
                    app.kubernetes.io/name:  ?*
  Validation Failure Action:                 enforce
Status:
  Ready:  true

Пример пода с правильными label

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: cam-nginx
  namespace: default
  labels:
    app: nginx
    environment: prod
  annotations:
    author: cameda
spec:
  containers:
  - name: nginx
    image: nginx:latest
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 80
    - containerPort: 443
    resources:
      requests:
        cpu: 300m
        memory: 300Mi
      limits:
        memory: 400Mi
  restartPolicy: Always
  hostname: nginx
  subdomain: web
EOF