-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Generation
Shivkumar Dudhani edited this page Jan 14, 2020
·
4 revisions
The policy rule has generate block. It can be used for resource generation after the trigger resource has been created.
Scenario:
- Trigger resource CREATE request.
- Kubernetes Admission Controle forwards the request to the Kyverno Admission Webhooks.
- Identify the policies with
generateoperation that apply to this resource. - Create a
GenerateRequestresource with resource and policy identifiers. UserInfo of the api-request is also stored in the resource. -
GenerateRequestis watched by the Generate-Policy Controller that applies thegeneraterules to create the resources specified in the policy. The state of theGenerateRequeststatus is updated to indicate the failure/success of the policy applied to the resource.
If the resource is updated policy is re-evaluated on the resource. (Only supported for Namespace resource, support for other resources to be added in future)
Generate default Networkpolicy on Namespace creation:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-networkpolicy
spec:
rules:
- name: default-deny-ingress
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: default-deny-ingress
namespace: "{{request.object.metadata.name}}"
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress```THIS WIKI IS NO LONGER MAINTAINED
For developer guides please see the DEVELOPMENT.md file.
For user guides please see https://kyverno.io/docs/.
THIS WIKI IS NO LONGER MAINTAINED
For developer guides please see the DEVELOPMENT.md file.
For user guides please see https://kyverno.io/docs/.