I am learning how to use kyverno to build some policies, but I am facing a few problems to understand some behaviour:
My first scenario is I want block some resource that may or may not have the spec.tier set. If it is set and it is different from 'Application' I want it to be blocked. If it is not set it should be allow. So I tried this:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-block-tier
spec:
validationFailureAction: enforce
background: false
rules:
- name: test-block-tier
match:
any:
- resources:
kinds:
- crd.antrea.io/v1alpha1/NetworkPolicy
preconditions:
any:
- key: "{{request.object.spec.tier || 'Application'}}"
operator: NotEquals
value: Application
validate:
message: "Antrea namespaced ANP can only be used on tier: Application"
deny: {}
The policy works as expected as far as there is the tier set in the yaml.
Accepts if have tier: Application
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
name: test-np
spec:
tier: Application
Refuses if have tier: anything else
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
name: test-np
spec:
tier: Emergency
But also refuses if there is not spec.tier set which I was not expecting since the default if not exists is "Application" per key: "{{request.object.spec.tier || 'Application'}}".
Whats should I change to make it work as expected?
