Skip to content

Latest commit

 

History

History
82 lines (67 loc) · 2.23 KB

README.md

File metadata and controls

82 lines (67 loc) · 2.23 KB

Kubewarden Policy Repository Stable

This policy validates the annotations of generic Kubernetes objects.

The policy rejects all the resources that use one or more annotations on the deny list. The deny list is provided by at runtime via the policy configuration.

The policy allows users to put constraints on specific annotations. The constraints are expressed as regular expression and are provided via the policy settings.

The policy settings look like that:

# List of annotations that cannot be used
denied_annotations:
  - foo
  - bar

# List of annotations that must be defined
mandatory_annotations:
  - cost-center

# Annotations that are validate with user-defined RegExp
# Failing to comply with the RegExp resuls in the object
# being rejected
constrained_annotations:
  priority: "[123]"
  cost-center: "^cc-\\d+$"

Note well: the regular expression must be expressed using Go's syntax.

Given the configuration from above, the policy would reject the creation of this Pod:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  annotations:
    foo: hello world
spec:
  containers:
    - name: nginx
      image: nginx:latest

The policy would also reject the creation of this Ingress resource:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    cost-center: cc-marketing
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
    - http:
        paths:
          - path: /testpath
            pathType: Prefix
            backend:
              service:
                name: test
                port:
                  number: 80

Policy's settings can also be used to force certain annotations to be specified, regardless of their contents:

# Policy's settings

constrained_annotations:
  mandatory-annotation: ".*" # <- this annotation must be present, we don't care about its value