Cluster-wide and namespaced policies are identical
See later for exceptions
Example:
rules:
- name:
match:
exclude:
preconditions:
validate: | mutate:
applyRules can be…
One stops after one rules was appliedAll processes all rulesExample:
rules:
- match:
any: | all:
exclude:
match what to process…
Pod etc.ServiceAccount, User etc.Rules are OR’ed when using any
Rules are AND’ed when using all
Optional exclude allows exclusion (similar to match)
Example:
rules:
- preconditions:
any: | all:
- key:
operator:
value:
Preconditions are OR’ed / AND’ed when using any / all
key supports JMESPath expressions
Many examples/demos on the following slides
Cluster-wide policies are identical to namespaced policies
One additional field validationFailureActionOverrides
Modify action (Enforce or Audit) for a list of namespaces:
spec:
validationFailureActionOverrides:
action: Audit
namespaces:
- kube-system
- kube-public
rules: