Compare languages | The admission-policy-engine module: Custom Resources (by Gatekeeper)

Mutation Custom Resources

Mutation Custom Resources

The reinvocationPolicy: IfNeeded is used in MutatingWebhookConfiguration. More details in the Kubernetes documentation.

Для мутационных хуков используется настройка reinvocationPolicy: IfNeeded в MutatingWebhookConfiguration. Подробнее в документации Kubernetes.

Reference

Reference

Provide a configurable set of policies for modifying Kubernetes resources at the time they are deployed.

Представляют собой набор настраиваемых политик модификации ресурсов Kubernets в момент их создания.

AssignMetadata

AssignMetadata

Reference

Reference

Allows you to modify the Metadata section of a resource. At the moment, Gatekeeper only allows adding labels and annotations objects. Modification of existing objects is not provided.

Позволяет изменять секцию Metadata ресурса.
На данный момент сервисом Gatekeeper разрешено только добавление объектов lables и annotations. Изменение существующих объектов не предусмотрено.

An example of adding the label owner with the value admin in all namespaces:

Пример добавления label owner со значением admin во всех пространствах имен: yaml apiVersion: mutations.gatekeeper.sh/v1 kind: AssignMetadata metadata: name: demo-annotation-owner spec: match: scope: Namespaced location: “metadata.labels.owner” parameters: assign: value: “admin”

yaml apiVersion: mutations.gatekeeper.sh/v1 kind: AssignMetadata metadata: name: demo-annotation-owner spec: match: scope: Namespaced location: “metadata.labels.owner” parameters: assign: value: “admin”

Assign

Assign

Позволяет изменять поля, за пределом секции Metadata.

Allows you to modify fields outside the Metadata section.

Пример установки imagePullPolicy для всех контейнеров на Always во всех пространствах имен, кроме system:

An example of setting imagePullPolicy for all containers to Always in all namespaces except the system namespace:

yaml apiVersion: mutations.gatekeeper.sh/v1 kind: Assign metadata: name: demo-image-pull-policy spec: applyTo:

  • groups: [””] kinds: [“Pod”] versions: [“v1”] match: scope: Namespaced kinds:
  • apiGroups: [“”] kinds: [“Pod”] excludedNamespaces: [“system”] location: “spec.containers[name:].imagePullPolicy” parameters: assign: value: Always

yaml apiVersion: mutations.gatekeeper.sh/v1 kind: Assign metadata: name: demo-image-pull-policy spec: applyTo:

  • groups: [””] kinds: [“Pod”] versions: [“v1”] match: scope: Namespaced kinds:
  • apiGroups: [“”] kinds: [“Pod”] excludedNamespaces: [“system”] location: “spec.containers[name:].imagePullPolicy” parameters: assign: value: Always

ModifySet

ModifySet

Reference

Reference

Позволяет добавлять и удалять элементы из списка, например из списка аргументов для запуска контейнера.
Новые значения добавляются в конец списка.

Allows you to add and remove items from a list, such as arguments for running a container. New values are added to the end of the list.

Пример удаления аргумента --alsologtostderr из всех контейнеров в поде:

An example of removing the --alsologtostderr argument from all containers in a pod:

yaml apiVersion: mutations.gatekeeper.sh/v1 kind: ModifySet metadata: name: remove-err-logging spec: applyTo:

  • groups: [””] kinds: [“Pod”] versions: [“v1”] location: “spec.containers[name: *].args” parameters: operation: prune values: fromList:
  • –alsologtostderr

yaml apiVersion: mutations.gatekeeper.sh/v1 kind: ModifySet metadata: name: remove-err-logging spec: applyTo:

  • groups: [””] kinds: [“Pod”] versions: [“v1”] location: “spec.containers[name: *].args” parameters: operation: prune values: fromList:
  • –alsologtostderr

AssignImage

AssignImage

Reference

Reference

Позволяет вносить изменения в параметр image ресурса.

Allows you to make changes to the image parameter of a resource.

Пример изменения параметра image на значение my.registry.io/repo/app@sha256:abcde67890123456789abc345678901a: yaml apiVersion: mutations.gatekeeper.sh/v1alpha1 kind: AssignImage metadata: name: assign-container-image spec: applyTo:

  • groups: [ “” ] kinds: [ “Pod” ] versions: [ “v1” ] location: “spec.containers[name:*].image” parameters: assignDomain: “my.registry.io” assignPath: “repo/app” assignTag: “@sha256:abcde67890123456789abc345678901a” match: source: “All” scope: Namespaced kinds:
  • apiGroups: [ “*” ] kinds: [ “Pod” ]

An example of changing the image parameter to the value my.registry.io/repo/app@sha256:abcde67890123456789abc345678901a:

 

yaml apiVersion: mutations.gatekeeper.sh/v1alpha1 kind: AssignImage metadata: name: assign-container-image spec: applyTo:

  • groups: [ “” ] kinds: [ “Pod” ] versions: [ “v1” ] location: “spec.containers[name:*].image” parameters: assignDomain: “my.registry.io” assignPath: “repo/app” assignTag: “@sha256:abcde67890123456789abc345678901a” match: source: “All” scope: Namespaced kinds:
  • apiGroups: [ “*” ] kinds: [ “Pod” ]