我创建了一个策略,Service为命名空间中的每个对象生成 s Deployment。有一件事我无法弄清楚,那就是它是一个Policy而不是ClusterPolicy,我想让命名空间属性动态化。(因为该策略是用于定义 qa 和 prod 环境的 Kustomize 覆盖的一部分。)但它似乎并没有在验证策略之前解释此字段中的变量:
准入 webhook“validate-policy.kyverno.svc”拒绝了请求:路径:spec.rules[create-service]:命名空间策略无法在其他命名空间中生成资源,预期:bradmac-integration-platform,收到:{{ request.object.metadata.namespace }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: auto-generate-services
annotations:
policies.kyverno.io/title: Autogenerate services for deployments
policies.kyverno.io/category: Argo
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Deployment, Service
policies.kyverno.io/description: >-
This policy generates `Service`s automatically based on `Deployment`s.
spec:
generateExistingOnPolicyUpdate: true
rules:
- name: create-service
match:
all:
- resources:
kinds:
- Deployment
generate:
apiVersion: v1
kind: Service
name: "{{ regex_replace_all('-deploy', request.object.metadata.name, '') }}-service"
namespace: "{{request.object.metadata.name}}" # <- this variable isn't being interpolated
synchronize: true
data:
metadata:
ownerReferences:
- apiVersion: v1
kind: Deployment
name: "{{ request.object.metadata.name }}"
uid: "{{request.object.metadata.uid}}"
spec:
selector:
app: "{{ regex_replace_all('-deploy', request.object.metadata.name, '') }}"
ports:
- port: 80
targetPort: 8085
protocol: "TCP"
type: ClusterIP
有谁知道有什么解决方法可以使其适用于覆盖层所放置的任何命名空间?