Mutation Custom Resources
| Mutation Custom Resources
|
Для мутационных хуков используется настройка reinvocationPolicy: IfNeeded в MutatingWebhookConfiguration. Подробнее в документации Kubernetes.
| The reinvocationPolicy: IfNeeded is used in MutatingWebhookConfiguration. More details in the Kubernetes documentation.
|
Reference
| Reference
|
Представляют собой набор настраиваемых политик модификации ресурсов Kubernets в момент их создания.
| Provide a configurable set of policies for modifying Kubernetes resources at the time they are deployed.
|
|
|
Reference
| Reference
|
Позволяет изменять секцию Metadata ресурса.
На данный момент сервисом Gatekeeper разрешено только добавление объектов lables и annotations . Изменение существующих объектов не предусмотрено.
| Allows you to modify the Metadata section of a resource.
At the moment, Gatekeeper only allows adding labels and annotations objects. Modification of existing objects is not provided.
|
Пример добавления label owner со значением admin во всех пространствах имен:
yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: AssignMetadata
metadata:
name: demo-annotation-owner
spec:
match:
scope: Namespaced
location: “metadata.labels.owner”
parameters:
assign:
value: “admin”
| An example of adding the label owner with the value admin in all namespaces:
|
Assign
| yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: AssignMetadata
metadata:
name: demo-annotation-owner
spec:
match:
scope: Namespaced
location: “metadata.labels.owner”
parameters:
assign:
value: “admin”
|
| Assign
|
Позволяет изменять поля, за пределом секции Metadata .
|
|
Пример установки imagePullPolicy для всех контейнеров на Always во всех пространствах имен, кроме system :
| Allows you to modify fields outside the Metadata section.
|
yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: demo-image-pull-policy
spec:
applyTo:
- groups: [””]
kinds: [“Pod”]
versions: [“v1”]
match:
scope: Namespaced
kinds:
- apiGroups: [“”]
kinds: [“Pod”]
excludedNamespaces: [“system”]
location: “spec.containers[name:].imagePullPolicy”
parameters:
assign:
value: Always
| An example of setting imagePullPolicy for all containers to Always in all namespaces except the system namespace:
|
ModifySet
| yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: demo-image-pull-policy
spec:
applyTo:
- groups: [””]
kinds: [“Pod”]
versions: [“v1”]
match:
scope: Namespaced
kinds:
- apiGroups: [“”]
kinds: [“Pod”]
excludedNamespaces: [“system”]
location: “spec.containers[name:].imagePullPolicy”
parameters:
assign:
value: Always
|
Reference
| ModifySet
|
Позволяет добавлять и удалять элементы из списка, например из списка аргументов для запуска контейнера.
Новые значения добавляются в конец списка.
| Reference
|
Пример удаления аргумента --alsologtostderr из всех контейнеров в поде:
| Allows you to add and remove items from a list, such as arguments for running a container.
New values are added to the end of the list.
|
yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: ModifySet
metadata:
name: remove-err-logging
spec:
applyTo:
- groups: [””]
kinds: [“Pod”]
versions: [“v1”]
location: “spec.containers[name: *].args”
parameters:
operation: prune
values:
fromList:
- –alsologtostderr
| An example of removing the --alsologtostderr argument from all containers in a pod:
|
AssignImage
| yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: ModifySet
metadata:
name: remove-err-logging
spec:
applyTo:
- groups: [””]
kinds: [“Pod”]
versions: [“v1”]
location: “spec.containers[name: *].args”
parameters:
operation: prune
values:
fromList:
- –alsologtostderr
|
Reference
| AssignImage
|
Позволяет вносить изменения в параметр image ресурса.
| Reference
|
Пример изменения параметра image на значение my.registry.io/repo/app@sha256:abcde67890123456789abc345678901a :
yaml
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: AssignImage
metadata:
name: assign-container-image
spec:
applyTo:
- groups: [ “” ]
kinds: [ “Pod” ]
versions: [ “v1” ]
location: “spec.containers[name:*].image”
parameters:
assignDomain: “my.registry.io”
assignPath: “repo/app”
assignTag: “@sha256:abcde67890123456789abc345678901a”
match:
source: “All”
scope: Namespaced
kinds:
- apiGroups: [ “*” ]
kinds: [ “Pod” ]
| Allows you to make changes to the image parameter of a resource.
|
| An example of changing the image parameter to the value my.registry.io/repo/app@sha256:abcde67890123456789abc345678901a :
|
| yaml
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: AssignImage
metadata:
name: assign-container-image
spec:
applyTo:
- groups: [ “” ]
kinds: [ “Pod” ]
versions: [ “v1” ]
location: “spec.containers[name:*].image”
parameters:
assignDomain: “my.registry.io”
assignPath: “repo/app”
assignTag: “@sha256:abcde67890123456789abc345678901a”
match:
source: “All”
scope: Namespaced
kinds:
- apiGroups: [ “*” ]
kinds: [ “Pod” ]
|