allanger/shoebill-test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
master
shoebill-test/charts/istiod-istiod/templates/validatingadmissionpolicy.yaml
Nikolai Rodionov 012aaadacc chore(release): Add a new release: metrics-server 
A new release is added to the cluster:
		  Name: metrics-server 
		  Namespace: kube-system
		  Version: 3.11.0
		  Chart: metrics-server/metrics-server
2024-09-09 09:41:17 +02:00

58 lines
2.1 KiB
YAML
Raw Permalink Blame History

{{- if .Values.experimental.stableValidationPolicy }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions: ["*"]
operations: ["CREATE", "UPDATE"]
resources: ["*"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
variables:
- name: isEnvoyFilter
expression: "object.kind == 'EnvoyFilter'"
- name: isWasmPlugin
expression: "object.kind == 'WasmPlugin'"
- name: isProxyConfig
expression: "object.kind == 'ProxyConfig'"
- name: isTelemetry
expression: "object.kind == 'Telemetry'"
validations:
- expression: "!variables.isEnvoyFilter"
- expression: "!variables.isWasmPlugin"
- expression: "!variables.isProxyConfig"
- expression: |
!(
variables.isTelemetry && (
(has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
(has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
(has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
)
)
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
validationActions: [Deny]
{{- end }}
Reference in New Issue View Git Blame Copy Permalink