更新时间:2024-01-05 GMT+08:00
k8srequiredannotations
基本信息
- 策略类型:合规
- 推荐级别:L1
- 生效资源类型:*
- 参数:
annotations: 键值对数组,key/ allowedRegex key: a8r.io/owner # Matches email address or github user allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
作用
要求资源包含指定的annotations,其值与提供的正则表达式匹配。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters中指定了提示信息message以及annotations的约束定义。
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: [""] kinds: ["Service"] parameters: message: "All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations." annotations: - key: a8r.io/owner # Matches email address or github user allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ - key: a8r.io/runbook # Matches urls including or not http/https allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
符合策略实例的资源定义
示例中的annotations符合策略实例。
apiVersion: v1 kind: Service metadata: name: allowed-service annotations: a8r.io/owner: "dev-team-alfa@contoso.com" a8r.io/runbook: "https://confluence.contoso.com/dev-team-alfa/runbooks" spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
不符合策略实例的资源定义
示例中的annotations没有配置值,不符合策略实例。
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
父主题: 使用策略定义库