Open Policy Agent
Perform constraint matches based on a combination of different attributes #54
Unanswered
shomeprasanjit
asked this question in
Gatekeeper
Replies: 1 comment 1 reply
-
|
Hi! You should be able to do what you've written, just with slightly different field names. Your example above becomes... apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
enforcementAction: warn
match:
namespaces: ["abc-namespace"]
labelSelector:
matchLabels:
- app1: abcd
- app2: xyz
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- apiGroups:
- apps
kinds:
- StatefulSet
parameters:
ranges:
- max_replicas: 2000
min_replicas: 2Note that there is a bit of a security hole here though... anyone who can write labels to a deployment would be able to exempt their deployment from the policy by adding the appropriate labels. To close that hole, you'd need a second constraint that locks down which deployments have the labels to only those who qualify for the exemption. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Awesome !!! Also thanks for pointing the security risk out. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi Guys, how can I perform constraint matches based on a combination of different attributes ?
Ex: i have a constraint of not allowing single replicas in a certain namespace yet I want to exclude certain deployments like metrics exporters which has little to no impact, if allowed to run as single replicas.
i have used the example present here. Below is my Constraint
As per the document shared above .. can i have something like
Beta Was this translation helpful? Give feedback.
All reactions