Skip to content

Instantly share code, notes, and snippets.

@yindia

yindia/kyverno-policy.yaml

Last active June 30, 2020 17:33
Show Gist options
  • Save yindia/b4615ea2a24628bca6a82d93265c1121 to your computer and use it in GitHub Desktop.
Save yindia/b4615ea2a24628bca6a82d93265c1121 to your computer and use it in GitHub Desktop.
Download ZIP
kyverno policy for generate rules
Raw
kyverno-policy.yaml
# ➜ ~ kubectl apply -f mem-cpu-limit.yaml
# clusterpolicy.kyverno.io/mem-cpu-limit created
# ➜ ~ kubectl create ns new2
# namespace/new2 created
# ➜ ~ kubectl get -n new2 ResourceQuota
# NAME CREATED AT
# cpu-mem-resource-quoto 2020-06-30T08:46:52Z
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "mem-cpu-limit"
spec:
rules:
- name: "mem-cpu-limit"
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: ResourceQuota
name: cpu-mem-resource-quoto
synchronize : true
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
data:
spec:
hard:
limits.cpu: "2"
limits.memory: 2Gi
requests.cpu: "1"
requests.memory: 1Gi
used:
limits.cpu: 800m
limits.memory: 800Mi
requests.cpu: 400m
requests.memory: 600Mi
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-ns-access-controls
annotations:
policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: Create roles and role bindings for a new namespace
spec:
background: false
rules:
- name: add-sa-annotation
match:
resources:
kinds:
- Namespace
mutate:
overlay:
metadata:
annotations:
nirmata.io/ns-creator: "{{serviceAccountName}}"
- name: generate-owner-role
match:
resources:
kinds:
- Namespace
preconditions:
- key: "{{request.userInfo.username}}"
operator: NotEqual
value: ""
- key: "{{serviceAccountName}}"
operator: NotEqual
value: ""
- key: "{{serviceAccountNamespace}}"
operator: NotEqual
value: ""
generate:
kind: ClusterRole
name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}"
data:
metadata:
annotations:
nirmata.io/ns-creator: "{{serviceAccountName}}"
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["delete"]
resourceNames:
- "{{request.object.metadata.name}}"
- name: generate-owner-role-binding
match:
resources:
kinds:
- Namespace
preconditions:
- key: "{{request.userInfo.username}}"
operator: NotEqual
value: ""
- key: "{{serviceAccountName}}"
operator: NotEqual
value: ""
- key: "{{serviceAccountNamespace}}"
operator: NotEqual
value: ""
generate:
kind: ClusterRoleBinding
name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding"
data:
metadata:
annotations:
nirmata.io/ns-creator: "{{serviceAccountName}}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}"
subjects:
- kind: ServiceAccount
# pre-defined context value (removes the suffix system:serviceaccount:<namespace>:<name> from userName)
name: "{{serviceAccountName}}" # <name>
namespace: "{{serviceAccountNamespace}}" # <namespace>
- name: generate-admin-role-binding
match:
resources:
kinds:
- Namespace
preconditions:
- key: "{{request.userInfo.username}}"
operator: NotEqual
value: ""
- key: "{{serviceAccountName}}"
operator: NotEqual
value: ""
- key: "{{serviceAccountNamespace}}"
operator: NotEqual
value: ""
generate:
kind: RoleBinding
name: "ns-admin-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding"
namespace: "{{request.object.metadata.name}}"
data:
metadata:
annotations:
nirmata.io/ns-creator: "{{serviceAccountName}}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: "{{serviceAccountName}}"
namespace: "{{serviceAccountNamespace}}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment