Does kyverno verify that the value of .spec.imagePullSecret for a pod exists in the current cluster? #784
-
|
Hi here, kyverno in writing rules, whether you can set up such a rule: verify a pod pullsecret specified secert exists in the corresponding namespace of this cluster, if it exists allow the creation, if it does not exist, do not allow the creation and report an error out of the thanks~ |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Converted this to a discussion until further notice. I'm trying to understand what you're asking but I don't. Can you please explain better? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry for the unclear description earlier, let me clarify: When creating a pod, deployment, and other resources in the Kubernetes cluster, my container image may be in a private image repository. In this case, I need to configure the corresponding imagePullSecret to enable the image to be authenticated and pulled to the image. However, sometimes the secret specified by this imagePullSecret may not have a corresponding namespace, and the state of the corresponding pod may be imagePullError, Only by checking the Event can we know that it is caused by the non-existent secret I would like to know if Kyverno has the corresponding ability to configure a rule to reject the creation of an imagePullSecret when it does not exist, and inform the user why it was rejected. the message may be: "The secret specified by imagePullSecret does not exist, please create the secret first and then try again" I have already implemented this requirement by writing my own admission Webhook, but it is not easy to maintain, so I want to better manage these through Kyverno |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the explanation. Yes, Kyverno can do this quite easily using a context variable to look up Secrets in the same Namespace as the Pod or its controller. Write a validate rule which uses a precondition to check for a defined imagePullSecret. If exists, perform an API lookup to get all Secrets in that Namespace. Use a deny rule to reject the Pod if there is no Secret in the Namespace with the same name as the one defined in the imagePullSecret field. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! I guess I was able to solve the problem with this document: https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls |
Beta Was this translation helpful? Give feedback.
Thank you for the explanation. Yes, Kyverno can do this quite easily using a context variable to look up Secrets in the same Namespace as the Pod or its controller. Write a validate rule which uses a precondition to check for a defined imagePullSecret. If exists, perform an API lookup to get all Secrets in that Namespace. Use a deny rule to reject the Pod if there is no Secret in the Namespace with the same name as the one defined in the imagePullSecret field.