blog: add blog for generating policy#2035
Open
kirti763 wants to merge 1 commit into
Open
Conversation
Signed-off-by: Kirti Goyal <kg4180553@gmail.com>
CortNick
suggested changes
May 25, 2026
CortNick
left a comment
CortNick
left a comment
Contributor
There was a problem hiding this comment.
@kirti763 please have a look at all comments and suggestions. Once you've had a chance to review them, please ping @MariamFahmy98 for a final technical review so we can get this merged asap. Thx!
| - General | ||
| authors: | ||
| - name: Kirti Goyal | ||
| excerpt: A practical guide to GeneratingPolicy in Kyverno like automatically creating NetworkPolicies, syncing Secrets, and bootstrapping namespaces without anyone having to remember a checklist |
Contributor
There was a problem hiding this comment.
Suggested change
| excerpt: A practical guide to GeneratingPolicy in Kyverno like automatically creating NetworkPolicies, syncing Secrets, and bootstrapping namespaces without anyone having to remember a checklist | |
| excerpt: A practical guide to GeneratingPolicy in Kyverno. Learn to automatically create NetworkPolicies, sync Secrets, and bootstrap namespaces without having to remember to follow a checklist. |
|
|
||
| Every Kubernetes platform team has some version of this checklist. | ||
|
|
||
| "When you create a new namespace, remember to also create a NetworkPolicy, a |
Contributor
There was a problem hiding this comment.
Suggested change
| "When you create a new namespace, remember to also create a NetworkPolicy, a | |
| 1. Create a new namespace. | |
| 2. Create a NetworkPolicy for the new namespace. | |
| 3. Set ResourceQuota and RoleBinding specs. | |
| 4. Copy the image pull secret from the default namespace. | |
| Every Kubernetes platform team has some version of this checklist. | ||
|
|
||
| "When you create a new namespace, remember to also create a NetworkPolicy, a | ||
| ResourceQuota, a RoleBinding, and copy the image pull secret from the default |
Contributor
There was a problem hiding this comment.
Suggested change
| ResourceQuota, a RoleBinding, and copy the image pull secret from the default |
|
|
||
| "When you create a new namespace, remember to also create a NetworkPolicy, a | ||
| ResourceQuota, a RoleBinding, and copy the image pull secret from the default | ||
| namespace." |
Contributor
There was a problem hiding this comment.
Suggested change
| namespace." |
| ResourceQuota, a RoleBinding, and copy the image pull secret from the default | ||
| namespace." | ||
|
|
||
| It lives in a wiki. Nobody reads the wiki. Someone creates a namespace, forgets three |
Contributor
There was a problem hiding this comment.
Suggested change
| It lives in a wiki. Nobody reads the wiki. Someone creates a namespace, forgets three | |
| Every checklist lives in a wiki. Nobody reads the wiki. Someone creates a namespace, forgets three |
|
|
||
| Image pull secrets are a constant headache. The secret lives in `default`. Every new | ||
| namespace needs a copy of it. Without automation, someone has to manually copy it every time | ||
| and then keep it in sync when the secret rotates. |
Contributor
There was a problem hiding this comment.
Suggested change
| and then keep it in sync when the secret rotates. | |
| and then keep it in sync when the secret rotates. A GeneratingPolicy can be used to automate this task, reducing drift and ensuring compliance. |
|
|
||
| With `synchronize: true`, if the source secret is updated, all the copies get updated | ||
| too. If the source is deleted, the copies get deleted. The downstream resources stay | ||
| in sync with the original automatically. |
Contributor
There was a problem hiding this comment.
Suggested change
| in sync with the original automatically. | |
| in sync with the original resources automatically. |
| too. If the source is deleted, the copies get deleted. The downstream resources stay | ||
| in sync with the original automatically. | ||
|
|
||
| **Try it:** |
Contributor
There was a problem hiding this comment.
Really like these step-by-steps. Did you happen to run all of them to make sure they work @kirti763 ? If so, it might be a good idea to add a few screenshots also.
| - expression: generator.Apply(variables.nsName, variables.downstream) | ||
| ``` | ||
|
|
||
| In this case, there is one policy. Two resources are created per namespace. You can add more to the list as needed like RoleBindings, ConfigMaps, LimitRanges. The developer creates a namespace and walks away. Everything is already there. |
Contributor
There was a problem hiding this comment.
Suggested change
| In this case, there is one policy. Two resources are created per namespace. You can add more to the list as needed like RoleBindings, ConfigMaps, LimitRanges. The developer creates a namespace and walks away. Everything is already there. | |
| In this case, there is one policy. Two resources are created per namespace. You can add more to the list as needed like RoleBindings, ConfigMaps, LimitRanges. The developer creates a namespace and continues with their work. GeneratingPolicy ensures that everything is correctly generated for their deployment. |
| ``` | ||
|
|
||
| When this policy is applied to a cluster with 10 existing namespaces, Kyverno | ||
| immediately generates the downstream resources in all 10. Without this, only new |
Contributor
There was a problem hiding this comment.
Suggested change
| immediately generates the downstream resources in all 10. Without this, only new | |
| immediately generates the downstream resources in all 10 namespaces. Without this, only new |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related issue
This is a blog for kyverno's generating policy.
Proposed Changes
Checklist