-
Notifications
You must be signed in to change notification settings - Fork 254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] How to match PATCH requests? #1138
Comments
What resource are you selecting in the policy? Can you share the policy please? |
I tried to select deployments, statefulsets and daemonsets as we allow patch only on these resources with the RBAC. Here is the policy I tried: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-patch-to-rollout-restart
spec:
validationFailureAction: Enforce
background: false
rules:
- name: restrict-patch
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
- DaemonSet
operations:
- UPDATE
clusterRoles:
- namespace-owner
validate:
message: "PATCH is allowed only for rollout-restarts"
pattern:
metadata:
annotations:
kubectl.kubernetes.io/restartedAt: "?*" |
Does the policy work if you remove this?
|
I just tried this I can perform a rollout restart on my test deployment but I can also do a Here is my test deployment manifest: ---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
resources:
requests:
memory: "32Mi"
cpu: "250m"
limits:
memory: "32Mi"
cpu: "500m" |
When you define a |
Yes, that's what I want. |
Is your namespace owner defined by the clusterrole |
Yes the namespace owners are users that have a RoleBinding on the What I'm looking to do is to allow my namespace owners to use |
Hi,
I'm looking to create a validate policy to allow users to use
kubectl rollout restart
.Rollout restart creates a PATCH request that sets the annotation
kubectl.kubernetes.io/restartedAt
on the resources.I tried with a match on
UPDATE
operations but it doesn't seem to catch PATCH requests.Do you have any idea if it is possible to create such policy?
Thanks
The text was updated successfully, but these errors were encountered: