MinIO+Vault+Kaniko+KrakenD+Istio
July 3, 2023
Kyverno. Policy label required.
Пример политики и работы с Kyverno.
Обязательная установка labels на поды.
cat <<EOF | kubectl apply -f - apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: enforce rules: - name: check-for-labels match: any: - resources: kinds: - Pod validate: message: "label 'app.kubernetes.io/name' is required" pattern: metadata: labels: app.kubernetes.io/name: "?*" EOF
Ошибка, вылетающая если создать под без нужного label.
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/test/cam-nginx was blocked due to the following policies require-labels: check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required. Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'
kubectl get clusterpolicy.kyverno.io kubectl get clusterpolicy.kyverno.io | grep "enforce" require-labels true enforce true
kubectl get clusterpolicy.kyverno.io -owide NAME BACKGROUND ACTION FAILURE POLICY READY disallow-capabilities true audit Fail true disallow-host-namespaces true audit Fail true disallow-host-path true audit Fail true disallow-host-ports true audit Fail true disallow-host-process true audit Fail true disallow-privileged-containers true audit Fail true disallow-proc-mount true audit Fail true disallow-selinux true audit Fail true require-labels true enforce Fail true restrict-apparmor-profiles true audit Fail true restrict-seccomp true audit Fail true restrict-sysctls true audit Fail true
kubectl describe clusterpolicy.kyverno.io require-labels Name: require-labels Namespace: Labels: <none> Annotations: pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob API Version: kyverno.io/v1 Kind: ClusterPolicy Metadata: Creation Timestamp: 2023-07-03T17:08:33Z Generation: 2 Managed Fields: API Version: kyverno.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:kubectl.kubernetes.io/last-applied-configuration: f:spec: .: f:validationFailureAction: Manager: kubectl-client-side-apply Operation: Update Time: 2023-07-03T17:08:33Z API Version: kyverno.io/v1 Fields Type: FieldsV1 fieldsV1: f:spec: f:rules: Manager: kyverno Operation: Update Time: 2023-07-03T17:08:33Z API Version: kyverno.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:ready: Manager: kyverno Operation: Update Subresource: status Time: 2023-07-03T17:08:39Z Resource Version: 16764995 UID: 3e5e1c5c-531f-421c-afc1-e93697305131 Spec: Background: true Failure Policy: Fail Rules: Exclude: Resources: Generate: Clone: Match: Any: Resources: Kinds: Pod Resources: Mutate: Name: check-for-labels Validate: Message: label 'app.kubernetes.io/name' is required Pattern: Metadata: Labels: app.kubernetes.io/name: ?* Exclude: Resources: Generate: Clone: Match: Any: Resources: Kinds: DaemonSet Deployment Job StatefulSet Resources: Mutate: Name: autogen-check-for-labels Validate: Message: label 'app.kubernetes.io/name' is required Pattern: Spec: Template: Metadata: Labels: app.kubernetes.io/name: ?* Exclude: Resources: Generate: Clone: Match: Any: Resources: Kinds: CronJob Resources: Mutate: Name: autogen-cronjob-check-for-labels Validate: Message: label 'app.kubernetes.io/name' is required Pattern: Spec: Job Template: Spec: Template: Metadata: Labels: app.kubernetes.io/name: ?* Validation Failure Action: enforce Status: Ready: true
Пример пода с правильными label
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: cam-nginx namespace: default labels: app: nginx environment: prod annotations: author: cameda spec: containers: - name: nginx image: nginx:latest imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 resources: requests: cpu: 300m memory: 300Mi limits: memory: 400Mi restartPolicy: Always hostname: nginx subdomain: web EOF