fix: update kyverno policy

Signed-off-by: Vishal Choudhary <[email protected]>
nirmata · Jul 10, 2023 · 4648025 · 4648025
1 parent eeb065c
commit 4648025
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/configs/samples/kyverno-policy.yaml b/configs/samples/kyverno-policy.yaml
@@ -5,6 +5,7 @@ metadata:
 spec:
   validationFailureAction: Enforce
   webhookTimeoutSeconds: 30
+  schemaValidation: false
   rules:
   - name: call-aws-signer-extension
     match:
@@ -15,12 +16,12 @@ spec:
           kinds:
           - Pod
     context:
-    - name: result
+    - name: response
       apiCall:
         method: POST
         data:
         - key: images
-          value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].image }}"
+          value: "{{images}}"
         service:
           url: https://svc.kyverno-notation-aws/checkimages
           caBundle: |-
@@ -50,11 +51,18 @@ spec:
             ZzAbiSUwCgYIKoZIzj0EAwIDRwAwRAIgU3O7Qnk9PGCV4aXgZAXp0h4Iz2O7XUnP
             Ufv4SgD7neECIHLb+BDvRFPJ77FpfIYxBO70AHB7Kp0nWKCqyv3FK4aT
             -----END CERTIFICATE-----
-    validate:
-      message: "not allowed"
-      deny:
-        conditions:
-          all:
-          - key: "{{ result.verified }}"
-            operator: EQUALS
-            value: false
+    # validate:
+    #   message: "not allowed"
+    #   deny:
+    #     conditions:
+    #       all:
+    #       - key: "{{ response.verified }}"
+    #         operator: EQUALS
+    #         value: false
+    mutate:
+      foreach:
+      - list: "response.results"
+        patchesJson6902: |-
+            - path: {{ element.path }}
+              op: replace
+              value: {{ element.image }}