OperationPolicy
Scope: Cluster
Version: v1alpha1
Describes an operation policy for a cluster.
Each CustomResource OperationPolicy
describes rules for objects in a cluster.
- spec
Required value
- spec.enforcementAction
The enforcement action to control what to do with the result of the constraint.
Deny
— Deny action.Dryrun
— No action. It is used when debugging. Information about the event can be viewed in Grafana in dashboardSecurity/Admission policy engine
.Warn
— Same asDryrun
. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDeny
instead ofWarn
.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.match
Required value
- spec.match.labelSelector
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressions
List of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.key
Required value
- spec.match.labelSelector.matchExpressions.operator
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.values
- spec.match.labelSelector.matchLabels
List of labels which Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNames
Include all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelector
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressions
List of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.key
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operator
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.values
- spec.match.namespaceSelector.labelSelector.matchLabels
List of labels which a namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.matchNames
Include only a particular set of namespaces. Supports glob pattern.
- spec.policies
Required value
- spec.policies.allowedRepos
The list of prefixes a container image is allowed to have.
- Element of the array
Example:
registry.deckhouse.io
- spec.policies.checkContainerDuplicates
Check container names and env variables for duplicates.
- spec.policies.checkHostNetworkDNSPolicy
Check
ClusterFirstWithHostNet
dnsPolicy is set for Pods withhostNetwork: true
. - array of strings
Requires container images to have an image tag different from the ones in the specified list.
Example:
disallowedImageTags: latest
- spec.policies.imagePullPolicy
Required image pull policy for containers.
Allowed values:
Always
,IfNotPresent
- spec.policies.ingressClassNames
List of allowed ingress class names.
- spec.policies.maxRevisionHistoryLimit
A maximum value for a revision history.
- spec.policies.priorityClassNames
List of allowed priority class names.
- spec.policies.replicaLimits
A range of allowed replicas. Values are inclusive.
- spec.policies.replicaLimits.maxReplicas
The maximum number of replicas allowed, inclusive.
- spec.policies.replicaLimits.minReplicas
The minimum number of replicas allowed, inclusive.
- spec.policies.requiredAnnotations
A list of annotations and values the object must specify.
- spec.policies.requiredAnnotations.annotations
- spec.policies.requiredAnnotations.annotations.allowedRegex
If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredAnnotations.annotations.key
The required annotation.
- spec.policies.requiredAnnotations.watchKinds
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the annotations on.- Element of the array
Pattern:
^[a-z]*/[a-zA-Z]+$
Examples:
apps/Deployment
"/Pod"
networking.k8s.io/Ingress
- spec.policies.requiredLabels
A list of labels and values the object must specify.
- spec.policies.requiredLabels.labels
- spec.policies.requiredLabels.labels.allowedRegex
If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredLabels.labels.key
The required label.
- spec.policies.requiredLabels.watchKinds
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the labels on.- Element of the array
Pattern:
^[a-z]*/[a-zA-Z]+$
Examples:
apps/Deployment
"/Pod"
networking.k8s.io/Ingress
- spec.policies.requiredProbes
The list of probes that are required (e.g.
readinessProbe
andlivenessProbe
)Example:
requiredProbes: - readinessProbe - livenessProbe
- Element of the array
Allowed values:
livenessProbe
,readinessProbe
,startupProbe
- spec.policies.requiredResources
Requires containers to have defined resources set.
- spec.policies.requiredResources.limits
A list of limits that should be enforced (CPU, memory, or both).
- Element of the array
Allowed values:
cpu
,memory
- spec.policies.requiredResources.requests
A list of requests that should be enforced (CPU, memory, or both).
- Element of the array
Allowed values:
cpu
,memory
- spec.policies.storageClassNames
List of allowed storage class names.