Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Policy Center/ Policy Definition Library/ k8srequiredlabels
Updated on 2024-02-01 GMT+08:00
View PDF
Share

k8srequiredlabels

Basic Information

  • Policy type: compliance
  • Recommended level: L1
  • Effective resource type: *
  • Parameter 
    labels: array of key-value pairs, key/allowedRegex
  key: a8r.io/owner
    # Matches email address or github user
    allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$

Function

The resource must contain the specified label whose value matches the provided regular expression.

Policy Example

The following policy instance shows the resource types for which the policy definition takes effect. parameters specifies the restrictions for message and labels.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
  parameters:
    message: "All namespaces must have an `owner` label that points to your company username"
    labels:
      - key: owner
        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"

Resource Definition That Complies with the Policy

The example contains the label defined in the policy instance, which complies with the policy instance.

apiVersion: v1
kind: Namespace
metadata:
  name: allowed-namespace
  labels:
    owner: user.agilebank.demo

Resource Definition That Does Not Comply with the Policy

The example does not contain the label defined in the policy instance, which does not comply with the policy instance.

apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace