mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-02-14 09:39:56 +00:00
73 lines
2.0 KiB
YAML
73 lines
2.0 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: flux-multi-tenancy
|
|
spec:
|
|
validationFailureAction: enforce
|
|
rules:
|
|
- name: serviceAccountName
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- flux-system
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Kustomization
|
|
- HelmRelease
|
|
validate:
|
|
message: ".spec.serviceAccountName is required"
|
|
pattern:
|
|
spec:
|
|
serviceAccountName: "?*"
|
|
- name: kustomizationSourceRefNamespace
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- flux-system
|
|
- ingress-nginx
|
|
- kyverno
|
|
- monitoring
|
|
- openebs
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Kustomization
|
|
preconditions:
|
|
any:
|
|
- key: "{{request.object.spec.sourceRef.namespace}}"
|
|
operator: NotEquals
|
|
value: ""
|
|
validate:
|
|
message: "spec.sourceRef.namespace must be the same as metadata.namespace"
|
|
deny:
|
|
conditions:
|
|
- key: "{{request.object.spec.sourceRef.namespace}}"
|
|
operator: NotEquals
|
|
value: "{{request.object.metadata.namespace}}"
|
|
- name: helmReleaseSourceRefNamespace
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- flux-system
|
|
- ingress-nginx
|
|
- kyverno
|
|
- monitoring
|
|
- openebs
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- HelmRelease
|
|
preconditions:
|
|
any:
|
|
- key: "{{request.object.spec.chart.spec.sourceRef.namespace}}"
|
|
operator: NotEquals
|
|
value: ""
|
|
validate:
|
|
message: "spec.chart.spec.sourceRef.namespace must be the same as metadata.namespace"
|
|
deny:
|
|
conditions:
|
|
- key: "{{request.object.spec.chart.spec.sourceRef.namespace}}"
|
|
operator: NotEquals
|
|
value: "{{request.object.metadata.namespace}}"
|