- Authors
- Name
- Youngju Kim
- @fjvbn20031
1. Validateルール
1.1 パターンマッチング
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-run-as-non-root
spec:
validationFailureAction: Enforce
rules:
- name: check-security-context
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Containers must run as non-root'
pattern:
spec:
containers:
- securityContext:
runAsNonRoot: true
演算子: ?*(空でない値)、*(任意の値)、X|Y(または)、!X(否定)、>X、<X(数値比較)
1.2 denyルール
rules:
- name: deny-latest-tag
validate:
deny:
conditions:
any:
- key: '{{ request.object.spec.containers[].image }}'
operator: AnyIn
value: ['*:latest']
1.3 CEL式
rules:
- name: check-replica-count
validate:
cel:
expressions:
- expression: 'object.spec.replicas >= 2'
message: 'Deployment must have at least 2 replicas'
2. Mutateルール
2.1 patchStrategicMerge
rules:
- name: add-sidecar
mutate:
patchStrategicMerge:
spec:
template:
spec:
containers:
- name: log-collector
image: fluentbit:latest
2.2 patchesJson6902
rules:
- name: add-annotation
mutate:
patchesJson6902: |-
- op: add
path: /metadata/annotations/modified-by
value: kyverno
3. Generateルール
3.1 dataベース生成
rules:
- name: generate-default-limitrange
generate:
apiVersion: v1
kind: LimitRange
name: default-limits
namespace: '{{ request.object.metadata.name }}'
synchronize: true
data:
spec:
limits:
- default:
cpu: 500m
memory: 512Mi
type: Container
3.2 cloneベース生成
rules:
- name: clone-configmap
generate:
apiVersion: v1
kind: ConfigMap
name: shared-config
namespace: '{{ request.object.metadata.name }}'
clone:
namespace: default
name: template-configmap
4. 変数とコンテキスト
context:
- name: namespaceInfo
apiCall:
urlPath: '/api/v1/namespaces/{{ request.namespace }}'
- name: allowedRegistries
configMap:
name: allowed-registries
namespace: kyverno
5. まとめ
- validate: パターンマッチング、deny条件、CEL式、foreachで多様な検証
- mutate: Strategic Merge Patch、JSON Patchでリソースを自動修正
- generate: data/cloneベースのリソース自動生成、synchronizeで同期
- 変数システム: JMESPath、API呼び出し、ConfigMapルックアップで動的ポリシー
- アンカーシステム: 条件付き、否定、等値アンカーで精密なパターンマッチング