Does kyverno verify that the value of .spec.imagePullSecret for a pod exists in the current cluster? #784
Answered
by
chipzoller
Miaoxiang-philips
asked this question in
Q&A
-
Hi here, kyverno in writing rules, whether you can set up such a rule: verify a pod pullsecret specified secert exists in the corresponding namespace of this cluster, if it exists allow the creation, if it does not exist, do not allow the creation and report an error out of the thanks~ |
Beta Was this translation helpful? Give feedback.
Answered by
chipzoller
Oct 18, 2023
Replies: 1 comment 3 replies
-
Converted this to a discussion until further notice. I'm trying to understand what you're asking but I don't. Can you please explain better? |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for the explanation. Yes, Kyverno can do this quite easily using a context variable to look up Secrets in the same Namespace as the Pod or its controller. Write a validate rule which uses a precondition to check for a defined imagePullSecret. If exists, perform an API lookup to get all Secrets in that Namespace. Use a deny rule to reject the Pod if there is no Secret in the Namespace with the same name as the one defined in the imagePullSecret field.