https://github.com/redhat-c op/rego-policies/blob/master/ POLICIES.md#rhcop-ocp_bestpract-00021-pod-replica-below-1 上面的链接是下面一个pod副本的rego策略。
我为 podreplicabelowone rego 策略创建了 constrainttemplate.yaml 和 constraint.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: podreplicasbelowone
spec:
crd:
spec:
names:
kind: PodReplicasBelowOne
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package ocp.bestpractices.pod_replicas_below_one
violation[{"msg": msg}] {
openshift.is_policy_active("RHCOP-OCP_BESTPRACT-00021")
openshift.pod
replicas := konstraint_core.resource.spec.replicas
replicas <= 1
msg := konstraint_core.format_with_id(sprintf("%s/%s: replicas is %d - expected replicas to be greater than 1 for HA guarantees.", [konstraint_core.kind, konstraint_core.name, replicas]), "RHCOP-OCP_BESTPRACT-00021")
}
下面是 podreplicasbelowone 的 constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PodReplicasBelowOne
metadata:
name: podreplicasbelowone
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
我应用了约束模板和约束.yaml
nny@nn:~/Documents/new/podreplica$ kubectl apply -f template.yaml
constrainttemplate.templates.gatekeeper.sh/podreplicasbelowone created
nny@nn:~/Documents/new/podreplica$ kubectl apply -f constraint.yaml
error: unable to recognize "constraint.yaml": no matches for kind "PodReplicasBelowOne" in version "constraints.gatekeeper.sh/v1beta1"
为什么它显示这个错误?以上两个yaml文件是否正确?我需要改变什么?我需要在 example.yaml 中指定什么以显示违反 rego 政策的情况?