Open Policy Agent
OPA Policy #315
Replies: 2 comments 8 replies
-
|
Hey, I think there might be a few missed parts of the paths to fields here. You can see the schema of a request here: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-request-and-response I've had a go at the policy in the playground, does this look like it could work for you? |
Beta Was this translation helpful? Give feedback.
-
|
Ahh, so if the name of the storage class resource is This should do that: https://play.openpolicyagent.org/p/Q8tzfuwKP2 |
Beta Was this translation helpful? Give feedback.
-
|
that seems to work...let me try it in action |
Beta Was this translation helpful? Give feedback.
-
|
Sorry for delay...I try to use this yaml GNU nano 6.2 annotateworks.yaml
|
Beta Was this translation helpful? Give feedback.
-
|
Could that be some whitespace error? YAML tends to be very sensitive with that. |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure what is going on with the YAML formatting here but this part doesn't look right: apiVersion: storage.k8s.io/v1
kind: # THIS
group: storage.k8s.io
kind: StorageClass # AND THISLike Anders says, make sure that you have checked the whitespace here. http://json2yaml.com is a good site to convert between the json and the yaml. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am having trouble with a policy to prevent creation of default storage class. I am trying to create an OPA policy that prevents creation or update to a storage class if it contains a annotation and the name of the storage class is not "default"
This is what I have below but that is not quite correct. Any suggestions?
import future.keywords.in
deny[msg] {
input.request.operation = "CREATE"
input.request.kind.kind = "storageclass"
}
Beta Was this translation helpful? Give feedback.
All reactions