Cluster-wide and namespaced policies are identical
See later for exceptions
Example:
rules:
- name:
match:
exclude:
preconditions:
validate: | mutate:
applyRules
can be…
One
stops after one rules was appliedAll
processes all rulesExample:
rules:
- match:
any: | all:
exclude:
match
what to process…
Pod
etc.ServiceAccount
, User
etc.Rules are OR’ed when using any
Rules are AND’ed when using all
Optional exclude
allows exclusion (similar to match
)
Example:
rules:
- preconditions:
any: | all:
- key:
operator:
value:
Preconditions are OR’ed / AND’ed when using any
/ all
key
supports JMESPath expressions
Many examples/demos on the following slides
Cluster-wide policies are identical to namespaced policies
One additional field validationFailureActionOverrides
Modify action (Enforce
or Audit
) for a list of namespaces:
spec:
validationFailureActionOverrides:
action: Audit
namespaces:
- kube-system
- kube-public
rules: