From ffe082a31bfa289c8d0c03fb7285fcf07ca1b3ff Mon Sep 17 00:00:00 2001 From: simu Date: Thu, 6 Apr 2023 14:22:59 +0000 Subject: [PATCH 1/2] Update from template Template version: main (956a1b3) --- .cruft.json | 2 +- Makefile.vars.mk | 4 ++-- docs/modules/ROOT/pages/.vale.ini | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 docs/modules/ROOT/pages/.vale.ini diff --git a/.cruft.json b/.cruft.json index 3706d0e..79b03d7 100644 --- a/.cruft.json +++ b/.cruft.json @@ -1,6 +1,6 @@ { "template": "https://github.com/projectsyn/commodore-component-template.git", - "commit": "5b2799d8242f1c59beaa9502599ca88f9e006db4", + "commit": "956a1b342ed680b02b1fb1b646dc5d4c640e2028", "checkout": "main", "context": { "cookiecutter": { diff --git a/Makefile.vars.mk b/Makefile.vars.mk index e64d9d7..2b03b02 100644 --- a/Makefile.vars.mk +++ b/Makefile.vars.mk @@ -40,10 +40,10 @@ YAMLLINT_CONFIG ?= .yamllint.yml YAMLLINT_IMAGE ?= docker.io/cytopia/yamllint:latest YAMLLINT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) $(YAMLLINT_IMAGE) -VALE_CMD ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --volume "$${PWD}"/docs/modules:/pages docker.io/vshn/vale:2.1.1 +VALE_CMD ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --volume "$${PWD}"/docs/modules:/pages ghcr.io/vshn/vale:2.15.5 VALE_ARGS ?= --minAlertLevel=error --config=/pages/ROOT/pages/.vale.ini /pages -ANTORA_PREVIEW_CMD ?= $(DOCKER_CMD) run --rm --publish 35729:35729 --publish 2020:2020 $(antora_git_volume) --volume "${PWD}/docs":/preview/antora/docs docker.io/vshn/antora-preview:3.0.1.1 --style=syn --antora=docs +ANTORA_PREVIEW_CMD ?= $(DOCKER_CMD) run --rm --publish 35729:35729 --publish 2020:2020 $(antora_git_volume) --volume "${PWD}/docs":/preview/antora/docs ghcr.io/vshn/antora-preview:3.1.2.3 --style=syn --antora=docs COMMODORE_CMD ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(git_volume) $(root_volume) docker.io/projectsyn/commodore:latest COMPILE_CMD ?= $(COMMODORE_CMD) component compile . $(commodore_args) diff --git a/docs/modules/ROOT/pages/.vale.ini b/docs/modules/ROOT/pages/.vale.ini new file mode 100644 index 0000000..bbabddf --- /dev/null +++ b/docs/modules/ROOT/pages/.vale.ini @@ -0,0 +1 @@ +# Vale config From 888a884734d26a7afc059064f8a3ae72abe434c6 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 6 Apr 2023 16:32:01 +0200 Subject: [PATCH 2/2] Render policy documentation from latest golden test outputs --- .../02_disallow_reserved_namespaces.adoc | 34 ++++---------- .../policies/02_organization_namespaces.adoc | 33 ++++---------- .../policies/02_organization_projects.adoc | 33 ++++---------- .../02_organization_sa_namespaces.adoc | 31 ++++--------- .../02_validate_namespace_metadata.adoc | 45 ++++++++----------- .../policies/03_projectrequest.adoc | 21 +++------ .../11_generate_quota_limit_range_in_ns.adoc | 22 +++------ .../policies/12_namespace_quota_per_zone.adoc | 43 +++++------------- .../30_set_runonce_activedeadlineseconds.adoc | 16 ++----- 9 files changed, 82 insertions(+), 196 deletions(-) diff --git a/docs/modules/ROOT/pages/references/policies/02_disallow_reserved_namespaces.adoc b/docs/modules/ROOT/pages/references/policies/02_disallow_reserved_namespaces.adoc index 40237f4..6a19599 100644 --- a/docs/modules/ROOT/pages/references/policies/02_disallow_reserved_namespaces.adoc +++ b/docs/modules/ROOT/pages/references/policies/02_disallow_reserved_namespaces.adoc @@ -37,35 +37,19 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check if the namespace name of the request matches one of the disallowed namespace patterns. + - Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces. - - Check if the namespace name of the request matches one of the disallowed namespace - patterns. + If the namespace matches a disallowed pattern and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied. + The policy is applied for requests to create `Namespace` and `ProjectRequest` resources. + This ensures that unprivileged users can't use disallowed patterns regardless of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web console. - - Check if the requesting user/serviceaccount has a cluster role that allows - them to create reserved namespaces. + The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component parameter `reservedNamespaces`]. - - If the namespace matches a disallowed pattern and the requester doesn''t have - a cluster role which allows them to bypass the policy, the request is denied. - - The policy is applied for requests to create `Namespace` and `ProjectRequest` - resources. - - This ensures that unprivileged users can''t use disallowed patterns regardless - of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web - console. - - - The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component - parameter `reservedNamespaces`]. - - - Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. - - ' + Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/docs/modules/ROOT/pages/references/policies/02_organization_namespaces.adoc b/docs/modules/ROOT/pages/references/policies/02_organization_namespaces.adoc index f901764..93aa09a 100644 --- a/docs/modules/ROOT/pages/references/policies/02_organization_namespaces.adoc +++ b/docs/modules/ROOT/pages/references/policies/02_organization_namespaces.adoc @@ -40,37 +40,22 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check that each namespace created by a user without cluster-admin permissions has a label appuio.io/organization which isn't empty. + - Check that the creating user is in the organization it tries to create a namespace for. - - Check that each namespace created by a user without cluster-admin permissions - has a label appuio.io/organization which isn''t empty. - - - Check that the creating user is in the organization it tries to create a namespace - for. - - - The user''s organization membership is checked by: - + The user's organization membership is checked by: - Fetching all OpenShift groups + - Reading the `appuio.io/organization` label of the request and finding a group with the same name - - Reading the `appuio.io/organization` label of the request and finding a group - with the same name - - - If a group matching the label value exists, the policy checks that the user - which issued the request is a member of that group. - - - If the label `appuio.io/organization` is missing or empty or the user isn''t - a member of the group, the request is denied. - + If a group matching the label value exists, the policy checks that the user which issued the request is a member of that group. - Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. + If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied. - ' + Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/docs/modules/ROOT/pages/references/policies/02_organization_projects.adoc b/docs/modules/ROOT/pages/references/policies/02_organization_projects.adoc index 90982c2..4c51f46 100644 --- a/docs/modules/ROOT/pages/references/policies/02_organization_projects.adoc +++ b/docs/modules/ROOT/pages/references/policies/02_organization_projects.adoc @@ -39,36 +39,21 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check that each project created by a user without cluster-admin permissions has a label appuio.io/organization which isn't empty. + - Check that the creating user is in the organization they try to create a project for. - - Check that each project created by a user without cluster-admin permissions - has a label appuio.io/organization which isn''t empty. - - - Check that the creating user is in the organization they try to create a project - for. - - - The user''s organization membership is checked by: - - - - Reading the project''s annotation `openshift.io/requester` which contains - the username of the user who originally requested the project. + The user's organization membership is checked by: + - Reading the project's annotation `openshift.io/requester` which contains the username of the user who originally requested the project. - Fetching all OpenShift groups + - Reading the `appuio.io/organization` label of the request and finding a group with the same name - - Reading the `appuio.io/organization` label of the request and finding a group - with the same name - - - If a group matching the label value exists, the policy checks that the user - which requested the project is a member of that group. - - - If the label `appuio.io/organization` is missing or empty or the user isn''t - a member of the group, the request is denied. + If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group. - ' + If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/docs/modules/ROOT/pages/references/policies/02_organization_sa_namespaces.adoc b/docs/modules/ROOT/pages/references/policies/02_organization_sa_namespaces.adoc index d31fe4a..624b46e 100644 --- a/docs/modules/ROOT/pages/references/policies/02_organization_sa_namespaces.adoc +++ b/docs/modules/ROOT/pages/references/policies/02_organization_sa_namespaces.adoc @@ -38,33 +38,20 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check that each namespace created by a serviceaccount without cluster-admin permissions has a label appuio.io/organization which isn't empty. + - Check that the creating serviceaccount is part of the organization it tries to create a namespace for. - - Check that each namespace created by a serviceaccount without cluster-admin - permissions has a label appuio.io/organization which isn''t empty. + The serviceaccount's organization membership is checked by: - - Check that the creating serviceaccount is part of the organization it tries - to create a namespace for. + - Fetching the serviceaccount's namespace + - Comparing that namespace's `appuio.io/organization` label value with the request's `appuio.io/organization` label value. + If the label `appuio.io/organization` is missing or empty or the serviceaccount's organization doesn't match the request's organization the request is denied. - The serviceaccount''s organization membership is checked by: - - - - Fetching the serviceaccount''s namespace - - - Comparing that namespace''s `appuio.io/organization` label value with the - request''s `appuio.io/organization` label value. - - - If the label `appuio.io/organization` is missing or empty or the serviceaccount''s - organization doesn''t match the request''s organization the request is denied. - - - Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. - - ' + Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/docs/modules/ROOT/pages/references/policies/02_validate_namespace_metadata.adoc b/docs/modules/ROOT/pages/references/policies/02_validate_namespace_metadata.adoc index d0e63fd..e55fa19 100644 --- a/docs/modules/ROOT/pages/references/policies/02_validate_namespace_metadata.adoc +++ b/docs/modules/ROOT/pages/references/policies/02_validate_namespace_metadata.adoc @@ -35,26 +35,16 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: - + policies.kyverno.io/description: | + This policy will: - Check annotations and labels on new and modified namespaces against a whitelist. + If the namespace has an annotation or label which isn't whitelisted and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied. - If the namespace has an annotation or label which isn''t whitelisted and the - requester doesn''t have a cluster role which allows them to bypass the policy, - the request is denied. - - - The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component - parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component - parameter `allowedNamespaceLabels`] respectively. - - - Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. + The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component parameter `allowedNamespaceLabels`] respectively. - ' + Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations @@ -140,11 +130,13 @@ spec: list: 'request.object&& merge( not_null(request.object.metadata.labels, `{}`) ,not_null(request.oldObject.metadata.labels, `{}`)) | map(&{key: @}, keys(@))' - message: "The following labels can be modified:\n appuio.io/organization,\ - \ custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults,\ - \ network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu.\n\ - labels given:\n {{request.object.metadata.labels}}.\nlabels before modification:\n\ - \ {{request.oldObject.metadata.labels}}." + message: |- + The following labels can be modified: + appuio.io/organization, custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults, network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu. + labels given: + {{request.object.metadata.labels}}. + labels before modification: + {{request.oldObject.metadata.labels}}. - exclude: any: - clusterRoles: @@ -218,12 +210,13 @@ spec: list: 'request.object&& merge( not_null(request.object.metadata.annotations, `{}`) ,not_null(request.oldObject.metadata.annotations, `{}`)) | map(&{key: @}, keys(@))' - message: "The following annotations can be modified:\n custom.appuio.io/*,\ - \ appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration,\ - \ policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override,\ - \ test.appuio.io/*, compute.test.appuio.io/cpu.\nannotations given:\n \ - \ {{request.object.metadata.annotations}}.\nannotations before modification:\n\ - \ {{request.oldObject.metadata.annotations}}." + message: |- + The following annotations can be modified: + custom.appuio.io/*, appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration, policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override, test.appuio.io/*, compute.test.appuio.io/cpu. + annotations given: + {{request.object.metadata.annotations}}. + annotations before modification: + {{request.oldObject.metadata.annotations}}. validationFailureAction: enforce ---- diff --git a/docs/modules/ROOT/pages/references/policies/03_projectrequest.adoc b/docs/modules/ROOT/pages/references/policies/03_projectrequest.adoc index 995486f..bb0417c 100644 --- a/docs/modules/ROOT/pages/references/policies/03_projectrequest.adoc +++ b/docs/modules/ROOT/pages/references/policies/03_projectrequest.adoc @@ -32,23 +32,14 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will check that the requesting user - has the `appuio.io/default-organization` annotation. + policies.kyverno.io/description: | + This policy will check that the requesting user has the `appuio.io/default-organization` annotation. + The content of the annotation isn't validated. + Instead the policy assumes that any default organization annotations which are present on user objects are valid. - The content of the annotation isn''t validated. + If the requesting user doesn't have the `appuio.io/default-organization` annotation, the project request is denied. - Instead the policy assumes that any default organization annotations which are - present on user objects are valid. - - - If the requesting user doesn''t have the `appuio.io/default-organization` annotation, - the project request is denied. - - - Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. - - ' + Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/project-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/docs/modules/ROOT/pages/references/policies/11_generate_quota_limit_range_in_ns.adoc b/docs/modules/ROOT/pages/references/policies/11_generate_quota_limit_range_in_ns.adoc index da2bc10..fc788d5 100644 --- a/docs/modules/ROOT/pages/references/policies/11_generate_quota_limit_range_in_ns.adoc +++ b/docs/modules/ROOT/pages/references/policies/11_generate_quota_limit_range_in_ns.adoc @@ -32,26 +32,14 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Resource Quota - policies.kyverno.io/description: 'This policy generates `ResourceQuota` and `LimitRange` - objects in namespaces which have the `appuio.io/organization` label. + policies.kyverno.io/description: | + This policy generates `ResourceQuota` and `LimitRange` objects in namespaces which have the `appuio.io/organization` label. + The default values for the generated `ResourceQuota` and `LimitRange` objects are configured in component parameters xref:references/parameters.adoc#_generatedresourcequota[`generatedResourceQuota`] and xref:references/parameters.adoc#_generatedlimitrange[`generatedLimitRange`] respectively. - The default values for the generated `ResourceQuota` and `LimitRange` objects - are configured in component parameters xref:references/parameters.adoc#_generatedresourcequota[`generatedResourceQuota`] - and xref:references/parameters.adoc#_generatedlimitrange[`generatedLimitRange`] - respectively. + Quota entries can be overridden for single namespaces by annotating the namespace, see the xref:references/parameters.adoc#_generatedresourcequota_spec[parameter docs] for an example. - - Quota entries can be overridden for single namespaces by annotating the namespace, - see the xref:references/parameters.adoc#_generatedresourcequota_spec[parameter - docs] for an example. - - - If field `synchronize` in the `ResourceQuota` or `LimitRange` component parameter - is set to `true`, the policy is configured to continuously keep the generated - objects in sync with the specification in the policy. - - ' + If field `synchronize` in the `ResourceQuota` or `LimitRange` component parameter is set to `true`, the policy is configured to continuously keep the generated objects in sync with the specification in the policy. policies.kyverno.io/jsonnet: component/quota-limitrange.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/docs/modules/ROOT/pages/references/policies/12_namespace_quota_per_zone.adoc b/docs/modules/ROOT/pages/references/policies/12_namespace_quota_per_zone.adoc index a345d94..60ea301 100644 --- a/docs/modules/ROOT/pages/references/policies/12_namespace_quota_per_zone.adoc +++ b/docs/modules/ROOT/pages/references/policies/12_namespace_quota_per_zone.adoc @@ -41,39 +41,22 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Namespace Management - policies.kyverno.io/description: 'This policy will deny creation of the new namespace - if the number of existing namespaces for the requester''s organization is greater - or equal a certain number. + policies.kyverno.io/description: | + This policy will deny creation of the new namespace if the number of existing namespaces for the requester's organization is greater or equal a certain number. + The number of allowed namespaces is either the default defined in this component, or it can be overridden for a specific organization. - The number of allowed namespaces is either the default defined in this component, - or it can be overridden for a specific organization. - - - To create an override, create a config map in the component namespace with name - pattern `override-` with `.data.namespaceOverride` being - the number. - + To create an override, create a config map in the component namespace with name pattern `override-` with `.data.namespaceOverride` being the number. For example, to set the namespace quota for organization foo to `4`: - [source,bash] - ---- - kubectl -n appuio-cloud create cm override-foo --from-literal=namespaceQuota=4 - ---- + The default number of allowed namespaces per organization is configured with xref:references/parameters#_maxnamespacequota[component parameter `maxNamespaceQuota`]. - The default number of allowed namespaces per organization is configured with - xref:references/parameters#_maxnamespacequota[component parameter `maxNamespaceQuota`]. - - - Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass this policy. - - ' + Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass this policy. policies.kyverno.io/jsonnet: component/namespace-quota.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations @@ -159,10 +142,9 @@ spec: - key: '{{nsCount}}' operator: GreaterThanOrEquals value: '{{override || `3`}}' - message: 'You cannot create more than {{override || `3`}} namespaces for organization - ''{{request.object.metadata.labels."appuio.io/organization"}}''. - - Please contact support to have your quota raised.' + message: |- + You cannot create more than {{override || `3`}} namespaces for organization '{{request.object.metadata.labels."appuio.io/organization"}}'. + Please contact support to have your quota raised. - context: - apiCall: jmesPath: metadata.annotations."appuio.io/default-organization" || "" @@ -235,10 +217,9 @@ spec: - key: '{{nsCount}}' operator: GreaterThanOrEquals value: '{{override || `3`}}' - message: 'You cannot create more than {{override || `3`}} namespaces for organization - ''{{organization}}''. - - Please contact support to have your quota raised.' + message: |- + You cannot create more than {{override || `3`}} namespaces for organization '{{organization}}'. + Please contact support to have your quota raised. validationFailureAction: enforce ---- diff --git a/docs/modules/ROOT/pages/references/policies/30_set_runonce_activedeadlineseconds.adoc b/docs/modules/ROOT/pages/references/policies/30_set_runonce_activedeadlineseconds.adoc index 48566f8..a5848a5 100644 --- a/docs/modules/ROOT/pages/references/policies/30_set_runonce_activedeadlineseconds.adoc +++ b/docs/modules/ROOT/pages/references/policies/30_set_runonce_activedeadlineseconds.adoc @@ -31,20 +31,12 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Resource Quota - policies.kyverno.io/description: 'This policy ensures that all "runonce" pods - have `.spec.activeDeadlineSeconds` set. + policies.kyverno.io/description: | + This policy ensures that all "runonce" pods have `.spec.activeDeadlineSeconds` set. + The value for `.spec.activeDeadlineSeconds` for a namepsace can be overridden by adding annotation `appuio.io/active-deadline-seconds-override` with the desired default value on a namespace. - The value for `.spec.activeDeadlineSeconds` for a namepsace can be overridden - by adding annotation `appuio.io/active-deadline-seconds-override` with the desired - default value on a namespace. - - - Pods can be excluded from the policy by configuring label match expressions - in xref:references/parameters.adoc#_runonceactivedeadlineseconds_podmatchexpressions[component - parameter `runOnceActiveDeadlineSeconds.podMatchExpressions`]. - - ' + Pods can be excluded from the policy by configuring label match expressions in xref:references/parameters.adoc#_runonceactivedeadlineseconds_podmatchexpressions[component parameter `runOnceActiveDeadlineSeconds.podMatchExpressions`]. policies.kyverno.io/jsonnet: component/runonce-activedeadlineseconds.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations