Open Policy Agent
Perform constraint matches based on a combination of different attributes #54
Unanswered
shomeprasanjit
asked this question in
Gatekeeper
Replies: 1 comment 1 reply
-
|
Hi! You should be able to do what you've written, just with slightly different field names. Your example above becomes... apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
enforcementAction: warn
match:
namespaces: ["abc-namespace"]
labelSelector:
matchLabels:
- app1: abcd
- app2: xyz
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- apiGroups:
- apps
kinds:
- StatefulSet
parameters:
ranges:
- max_replicas: 2000
min_replicas: 2Note that there is a bit of a security hole here though... anyone who can write labels to a deployment would be able to exempt their deployment from the policy by adding the appropriate labels. To close that hole, you'd need a second constraint that locks down which deployments have the labels to only those who qualify for the exemption. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Awesome !!! Also thanks for pointing the security risk out. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi Guys, how can I perform constraint matches based on a combination of different attributes ?
Ex: i have a constraint of not allowing single replicas in a certain namespace yet I want to exclude certain deployments like metrics exporters which has little to no impact, if allowed to run as single replicas.
i have used the example present here. Below is my Constraint
As per the document shared above .. can i have something like
Beta Was this translation helpful? Give feedback.
All reactions