Merge pull request #42611 from my-git9/validatingadmissionpolicy

[zh-cn] sync access-authn-authz/validating-admission-policy.md

Author: k8s-ci-robot

content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md

@@ -0,0 +1,29 @@
+# 此策略强制除 "exempt" Deployment 或任何不属于 “example.com” 组织的容器
+#（例如常见的 sidecar）外的 Deployment 的所有容器的镜像库与其命名空间的环境标签相匹配。
+# 例如，如果命名空间的标签为 {"environment": "staging"}，则所有容器镜像必须是
+# staging.example.com/* 或根本不包含 “example.com”，除非 Deployment 有
+# {"exempt": "true"} 标签。
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "image-matches-namespace-environment.policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  variables:
+  - name: environment
+    expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'"
+  - name: exempt
+    expression: "'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'"
+  - name: containers
+    expression: "object.spec.template.spec.containers"
+  - name: containersToCheck
+    expression: "variables.containers.filter(c, c.image.contains('example.com/'))"
+  validations:
+  - expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))"
+    messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name"

content/zh-cn/examples/access/image-matches-namespace-environment.policy.yaml

@@ -0,0 +1,49 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+  - name: my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['*']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Ignore' # 打开失败（可选）
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    # 每个 Webhook 最多可以有 64 个 matchConditions
+    matchConditions:
+      - name: 'exclude-leases' # 每个匹配条件必须有唯一的名称
+        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # 匹配非租约（non-lease）资源
+      - name: 'exclude-kubelet-requests'
+        expression: '!("system:nodes" in request.userInfo.groups)' # 匹配非节点用户发出的请求
+      - name: 'rbac' # 跳过由第二个 Webhook 处理的 RBAC 请求。
+        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+
+  # 此示例说明了 `authorizer` 的用法。授权检查比简单表达式成本更高，
+  # 因此在本示例中，通过使用第二个 Webhook 将其范围限制为仅 RBAC 请求。
+  # 两个 Webhook 可以由同一 endpoint 提供服务。
+  - name: rbac.my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['rbac.authorization.k8s.io']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Fail' # Fail-closed (the default)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    # 每个 webhook 最多可以有 64 个 matchConditions
+    matchConditions:
+      - name: 'breakglass'
+        # 跳过被授权在此 Webhook 上 'breakglass' 的用户发出的请求。
+        # 'breakglass' API verb 不需要被排查在该检查之外。
+        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'

content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml

@@ -0,0 +1,11 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "demo-binding-test.example.com"
+spec:
+  policyName: "demo-policy.example.com"
+  validationActions: [Deny]
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        environment: test

content/zh-cn/examples/validatingadmissionpolicy/basic-example-binding.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "demo-policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 5"

content/zh-cn/examples/validatingadmissionpolicy/basic-example-policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-nontest"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
+  paramRef:
+    name: "replica-limit-prod.example.com"
+    namespace: "default"
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: environment
+        operator: NotIn
+        values:
+        - test

content/zh-cn/examples/validatingadmissionpolicy/binding-with-param-prod.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-test.example.com"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
+  paramRef:
+    name: "replica-limit-test.example.com"
+    namespace: "default"
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        environment: test

content/zh-cn/examples/validatingadmissionpolicy/binding-with-param.yaml

@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+spec:
+...
+failurePolicy: Ignore # The default is "Fail"
+validations:
+- expression: "object.spec.xyz == params.x"  

content/zh-cn/examples/validatingadmissionpolicy/failure-policy-ignore.yaml

@@ -0,0 +1,18 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "replicalimit-policy.example.com"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: rules.example.com/v1
+    kind: ReplicaLimit
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= params.maxReplicas"
+      reason: Invalid

content/zh-cn/examples/validatingadmissionpolicy/policy-with-param.yaml

@@ -0,0 +1,5 @@
+apiVersion: rules.example.com/v1
+kind: ReplicaLimit
+metadata:
+  name: "replica-limit-prod.example.com"
+maxReplicas: 100