更新时间:2024-01-05 GMT+08:00
k8srequiredannotations
基本信息
- 策略类型:合规
- 推荐级别:L1
- 生效资源类型:*
- 参数:
annotations: 键值对数组,key/ allowedRegex key: a8r.io/owner # Matches email address or github user allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
作用
要求资源包含指定的annotations,其值与提供的正则表达式匹配。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters中指定了提示信息message以及annotations的约束定义。
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
parameters:
message: "All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations."
annotations:
- key: a8r.io/owner
# Matches email address or github user
allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
- key: a8r.io/runbook
# Matches urls including or not http/https
allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
符合策略实例的资源定义
示例中的annotations符合策略实例。
apiVersion: v1
kind: Service
metadata:
name: allowed-service
annotations:
a8r.io/owner: "dev-team-alfa@contoso.com"
a8r.io/runbook: "https://confluence.contoso.com/dev-team-alfa/runbooks"
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
不符合策略实例的资源定义
示例中的annotations没有配置值,不符合策略实例。
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
父主题: 使用策略定义库
