It's common where policy lookups need to consider a mapping to many possible values rather than a static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap where the ConfigMap stores an array of strings. This policy validates that any Pods created outside of the list of Namespaces have the label `foo` applied.
apiVersion: policies.kyverno.io/v1alpha1kind: ValidatingPolicymetadata:name: exclude-namespaces-exampleannotations:policies.kyverno.io/title: Exclude Namespaces Dynamically in ValidatingPolicypolicies.kyverno.io/category: Sample in Vpolpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Namespace, Podpolicies.kyverno.io/minversion: 1.14.0kyverno.io/kyverno-version: 1.14.0kyverno.io/kubernetes-version: "1.30"policies.kyverno.io/description: It's common where policy lookups need to consider a mapping to many possible values rather than a static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap where the ConfigMap stores an array of strings. This policy validates that any Pods created outside of the list of Namespaces have the label `foo` applied.spec:validationActions:- Auditautogen:podControllers:controllers: []evaluation:background:enabled: truematchConstraints:resourceRules:- apiGroups:- appsapiVersions:- v1operations:- CREATE- UPDATEresources:- deployments- apiGroups:- batchapiVersions:- v1operations:- CREATE- UPDATEresources:- cronjobs- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- podsvariables:- name: cmexpression: resource.Get("v1", "configmaps", "default", "namespace-filters")- name: filterexpression: request.namespace in variables.cm.data['exclude'].split(', ')validations:- expression: |request.kind.kind == 'Pod' ? ( variables.filter || (has(object.metadata.labels) && 'foo' in object.metadata.labels)) : request.kind.kind in ['Deployment', 'CronJob'] ? true : falsemessageExpression: "'Pods must have the \"foo\" label in metadata.labels unless in namespaces: ' + variables.cm.data['exclude'] + (has(object.metadata.labels) && 'foo' in object.metadata.labels ? ', but the label is present.' : ', but no \"foo\" label is found.')"- expression: |request.kind.kind == 'Deployment' ? ( variables.filter || has(object.spec.template.metadata) && has(object.spec.template.metadata.labels) && 'foo' in object.spec.template.metadata.labels) : request.kind.kind in ['Pod', 'CronJob'] ? true : falsemessageExpression: "'Deployments must have the \"foo\" label in the Pod template metadata.labels unless in namespaces: ' + variables.cm.data['exclude'] + (has(object.spec.template.metadata) && has(object.spec.template.metadata.labels) && 'foo' in object.spec.template.metadata.labels ? ', but the label is present.' : ', but no \"foo\" label is found.')"- expression: |request.kind.kind == 'CronJob' ? ( variables.filter || has(object.spec.jobTemplate.spec.template.metadata) && has(object.spec.jobTemplate.spec.template.metadata.labels) && 'foo' in object.spec.jobTemplate.spec.template.metadata.labels) : request.kind.kind in ['Pod', 'Deployment'] ? true : falsemessageExpression: "'CronJobs must have the \"foo\" label in the Pod template metadata.labels unless in namespaces: ' + variables.cm.data['exclude'] + (has(object.spec.jobTemplate.spec.template.metadata) && has(object.spec.jobTemplate.spec.template.metadata.labels) && 'foo' in object.spec.jobTemplate.spec.template.metadata.labels ? ', but the label is present.' : ', but no \"foo\" label is found.')"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.