forge/clusterforge
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c0bef987f1
clusterforge/airm/ClusterPolicy_airm-workload-tracking-policy.yaml
ClusterForge 033556c928 Cast commit
2025-10-06 09:34:03 +00:00

171 lines
6.9 KiB
YAML
Raw Blame History

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: airm-workload-tracking-policy
spec:
background: false
rules:
- match:
resources:
kinds:
- Job
- Deployment
- StatefulSet
- DaemonSet
- CronJob
- KaiwoJob
- KaiwoService
- Pod
namespaceSelector:
matchExpressions:
- key: airm.silogen.ai/project-id
operator: Exists
mutate:
patchStrategicMerge:
metadata:
annotations:
airm.silogen.ai/auto-discovered: "true"
airm.silogen.ai/discovered-component-type: '{{request.object.kind }}'
airm.silogen.ai/submitter: '{{request.userInfo.username }}'
name: add-discovery-annotations-for-supported-types
preconditions:
all:
- key: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || '''' }}'
operator: Equals
value: ""
- key: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || '''' }}'
operator: Equals
value: ""
- key: '{{request.object.metadata.annotations."airm.silogen.ai/auto-discovered" || '''' }}'
operator: Equals
value: ""
- match:
resources:
kinds:
- Job
- Deployment
- StatefulSet
- DaemonSet
- CronJob
- KaiwoJob
- KaiwoService
- Pod
namespaceSelector:
matchExpressions:
- key: airm.silogen.ai/project-id
operator: Exists
mutate:
patchStrategicMerge:
metadata:
annotations:
airm.silogen.ai/auto-discovered: "false"
name: remove-auto-discovered-annotations-inherited-from-parent
preconditions:
all:
- key: '{{request.object.metadata.annotations."airm.silogen.ai/auto-discovered" || '''' }}'
operator: Equals
value: "true"
- key: '{{request.object.metadata.annotations."airm.silogen.ai/discovered-component-type" || '''' }}'
operator: NotEquals
value: '{{request.object.kind }}'
- context:
- apiCall:
jmesPath: metadata.labels
urlPath: /api/v1/namespaces/{{request.namespace }}
name: ns_labels
match:
resources:
kinds:
- Job
- Deployment
- StatefulSet
- DaemonSet
- CronJob
- KaiwoJob
- KaiwoService
- Pod
namespaceSelector:
matchExpressions:
- key: airm.silogen.ai/project-id
operator: Exists
mutate:
patchStrategicMerge:
metadata:
labels:
airm.silogen.ai/project-id: '{{ns_labels."airm.silogen.ai/project-id" }}'
name: set-project-id-from-namespace-label
preconditions:
all:
- key: '{{request.object.metadata.labels."airm.silogen.ai/project-id" || '''' }}'
operator: NotEquals
value: '{{ns_labels."airm.silogen.ai/project-id" }}'
- match:
resources:
kinds:
- Pod
- KaiwoJob
- KaiwoService
namespaceSelector:
matchExpressions:
- key: airm.silogen.ai/project-id
operator: Exists
mutate:
patchStrategicMerge:
metadata:
labels:
airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}'
airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}'
name: add-workload-and-component-id-default
- match:
resources:
kinds:
- Job
- Deployment
- StatefulSet
- DaemonSet
namespaceSelector:
matchExpressions:
- key: airm.silogen.ai/project-id
operator: Exists
mutate:
patchStrategicMerge:
metadata:
labels:
airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}'
airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}'
spec:
template:
metadata:
labels:
airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}'
airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}'
name: add-workload-and-component-id-to-objects-with-template
- match:
resources:
kinds:
- CronJob
namespaceSelector:
matchExpressions:
- key: airm.silogen.ai/project-id
operator: Exists
mutate:
patchStrategicMerge:
metadata:
labels:
airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}'
airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}'
spec:
jobTemplate:
metadata:
labels:
airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}'
airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}'
spec:
template:
metadata:
labels:
airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}'
airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}'
name: add-workload-and-component-id-cronjobs
Reference in New Issue View Git Blame Copy Permalink