Skip to content

Commit

Permalink
docs: document constraint match.source (#3291)
Browse files Browse the repository at this point in the history
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
sozercan and ritazh authored Feb 29, 2024
1 parent a4b75f5 commit 0ff1f8d
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion website/docs/expansion.md
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ title: Validating Workload Resources using ExpansionTemplate

A workload resource is a resource that creates other resources, such as a
[Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) or [Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/). Gatekeeper can be configured to reject workload resources
that create a resource that violates a constraint.
that create a resource that violates a constraint.

## `ExpansionTemplate` explained

@@ -165,6 +165,21 @@ setting the `Constraint`'s `spec.match.source` field to `Generated`. This can
also be used to define different enforcement actions for expanded resources and
original resources.

For example, suppose a cluster has a policy that blocks all [standalone pods](https://kubernetes.io/docs/concepts/configuration/overview/#naked-pods-vs-replicasets-deployments-and-jobs), but allows them to be created as part of a workload resource, such as `Deployment`. A user could create a `Constraint` that only targets original resources, like so:

```yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: block-standalone-pods
metadata:
name: block-standalone-pods
spec:
match:
source: Original
kinds:
- apiGroups: [""]
kinds: ["Pod"]
```

## Mutating Example

Suppose a cluster is using Istio, and has a policy configured to ensure

0 comments on commit 0ff1f8d

Please sign in to comment.