Policy Structure¶
Kyverno policies are Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.
Policies that apply to JSON payload have a few differences from Kyverno policies that are applied to Kubernetes resources at admission controls.
Resource Scope¶
Policies that apply to JSON payloads are always cluster-wide resources.
API Group and Kind¶
kyverno-json
policies belong to the json.kyverno.io
group and can only be of kind ValidatingPolicy
.
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: test
spec:
rules:
- name: foo-bar-4
validate:
assert:
all:
- foo:
bar: 4
Policy Rules¶
A policy can have multiple rules, and rules are processed in order. Evaluation stops at the first rule that fails.
Match and Exclude¶
Policies that apply to JSON payloads use assertion trees in both the match
/exclude
declarations as well as the validate
rule declaration.
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: required-s3-tags
spec:
rules:
- name: require-team-tag
identifier: address
match:
any:
- type: aws_s3_bucket
exclude:
any:
- name: bypass-me
validate:
assert:
all:
- values:
tags:
Team: ?*
In the example above, every resource having type: aws_s3_bucket
will match, and payloads having name: bypass-me
will be excluded.
Identifying Payload Entries¶
A policy rule can contain an optional identifier
which declares the path to the payload element that uniquely identifies each entry.
Context Entries¶
A policy rule can contain optional context
entries that are made available to the rule via bindings:
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: required-s3-tags
spec:
rules:
- name: require-team-tag
match:
any:
- type: aws_s3_bucket
context:
# creates a `expectedTeam` binding automatically
- name: expectedTeam
variable: Kyverno
validate:
message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}
assert:
all:
- values:
tags:
# use the `$expectedTeam` binding coming from the context
Team: ($expectedTeam)
No forEach
, pattern operators
, anchors
, or wildcards
¶
The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.
Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.