Writing policies

Writing policies

Cluster-wide and namespaced policies are identical

See later for exceptions

Example:

rules:
- name:
  match:
  exclude:
  preconditions:
  validate: | mutate:

applyRules can be…


Rules

Example:

rules:
- match:
    any: | all:
  exclude:

match what to process…

Rules are OR’ed when using any

Rules are AND’ed when using all

Optional exclude allows exclusion (similar to match)


Preconditions

Example:

rules:
- preconditions:
    any: | all:
    - key:
      operator:
      value:

Preconditions are OR’ed / AND’ed when using any / all

key supports JMESPath expressions

Operators


Validate / Mutate

Many examples/demos on the following slides


ClusterPolicy

Cluster-wide policies are identical to namespaced policies

One additional field validationFailureActionOverrides

Modify action (Enforce or Audit) for a list of namespaces:

spec:
  validationFailureActionOverrides:
    action: Audit
    namespaces:
    - kube-system
    - kube-public
  rules: