我正在学习如何使用 kyverno 来制定一些政策,但是在理解某些行为时我面临一些问题:
我的第一个场景是我想阻止一些可能设置了 spec.tier 的资源。如果已设置并且与“应用程序”不同,我希望阻止它。如果未设置,则应允许。所以我尝试了这个:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-block-tier
spec:
validationFailureAction: enforce
background: false
rules:
- name: test-block-tier
match:
any:
- resources:
kinds:
- crd.antrea.io/v1alpha1/NetworkPolicy
preconditions:
any:
- key: "{{request.object.spec.tier || 'Application'}}"
operator: NotEquals
value: Application
validate:
message: "Antrea namespaced ANP can only be used on tier: Application"
deny: {}
只要在 yaml 中设置了层级,策略就会按预期工作。
接受,如果有等级:申请
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
name: test-np
spec:
tier: Application
如果有等级则拒绝:其他
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
name: test-np
spec:
tier: Emergency
但是如果没有设置 spec.tier 也会拒绝,这是我没有想到的,因为如果不存在则默认值是每个键的“Application”:“{{request.object.spec.tier || 'Application'}}”。
我应该做哪些改变才能使其按预期工作?
答案1
你的例子对我有用:
/tmp/test ❯ cat neither.yaml ✘ INT
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
name: test-np
/tmp/test ❯ cat policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-block-tier
spec:
validationFailureAction: enforce
background: false
rules:
- name: test-block-tier
match:
any:
- resources:
kinds:
- crd.antrea.io/v1alpha1/NetworkPolicy
preconditions:
any:
- key: "{{request.object.spec.tier || 'Application'}}"
operator: NotEquals
value: Application
validate:
message: "Antrea namespaced ANP can only be used on tier: Application"
deny: {}
/tmp/test ❯ kyverno -v3 apply policy.yaml --resource neither.yaml
I1027 14:20:09.635300 9373 logr.go:261] "msg"="Defaulting request.operation to CREATE"
I1027 14:20:09.997558 9373 logr.go:261] "msg"="read policies" "errors"=0 "policies"=1
Applying 1 policy rule to 1 resource...
I1027 14:20:09.999904 9373 logr.go:261] "msg"="variable substituted" "path"="/preconditions/any/0/key" "value"=null "variable"=" {{request.object.spec.tier || 'Application'}}"
I1027 14:20:10.000398 9373 logr.go:261] "msg"="applying policy on resource" "policy"="test-block-tier" "resource"="default/NetworkPolicy/test-np"
I1027 14:20:10.002033 9373 validation.go:125] EngineValidate "msg"="processing validation rule" "applyRules"="All" "kind"="NetworkPolicy" "matchCount"=0 "name"="test-np" "namespace"="default" "policy"="test-block-tier" "rule"="test-block-tier"
I1027 14:20:10.003314 9373 vars.go:380] EngineValidate "msg"="variable substituted" "kind"="NetworkPolicy" "name"="test-np" "namespace"="default" "path"="/any/0/key" "policy"="test-block-tier" "rule"="test-block-tier" "value"="Application" "variable"=" {{request.object.spec.tier || 'Application'}}"
I1027 14:20:10.003766 9373 evaluate.go:57] EngineValidate "msg"="no condition passed for 'any' block" "any"=[{"key":"Application","operator":"NotEquals","value":"Application"}] "kind"="NetworkPolicy" "name"="test-np" "namespace"="default" "policy"="test-block-tier" "rule"="test-block-tier"
pass: 0, fail: 0, warn: 0, error: 0, skip: 1