Merge pull request #47926 from tengqm/zh-rm-vwc-eg

[zh] Drop an example file which is not referenced
2024-09-15 06:17:12 +01:00 · 2024-09-15 06:17:12 +01:00 · 264d4b0c97
parent 05ba1a7025 74b246b07c
commit 264d4b0c97
1 changed files with 0 additions and 49 deletions
--- a/content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml
+++ b/content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml
@ -1,49 +0,0 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 webhooks:
  - name: my-webhook.example.com
    matchPolicy: Equivalent
    rules:
      - operations: ['CREATE','UPDATE']
        apiGroups: ['*']
        apiVersions: ['*']
        resources: ['*']
    failurePolicy: 'Ignore' # 打开失败（可选）
    sideEffects: None
    clientConfig:
      service:
        namespace: my-namespace
        name: my-webhook
      caBundle: '<omitted>'
    # 每个 Webhook 最多可以有 64 个 matchConditions
    matchConditions:
      - name: 'exclude-leases' # 每个匹配条件必须有唯一的名称
        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # 匹配非租约（non-lease）资源
      - name: 'exclude-kubelet-requests'
        expression: '!("system:nodes" in request.userInfo.groups)' # 匹配非节点用户发出的请求
      - name: 'rbac' # 跳过由第二个 Webhook 处理的 RBAC 请求。
        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
  # 此示例说明了 `authorizer` 的用法。授权检查比简单表达式成本更高，
  # 因此在本示例中，通过使用第二个 Webhook 将其范围限制为仅 RBAC 请求。
  # 两个 Webhook 可以由同一 endpoint 提供服务。
  - name: rbac.my-webhook.example.com
    matchPolicy: Equivalent
    rules:
      - operations: ['CREATE','UPDATE']
        apiGroups: ['rbac.authorization.k8s.io']
        apiVersions: ['*']
        resources: ['*']
    failurePolicy: 'Fail' # Fail-closed (the default)
    sideEffects: None
    clientConfig:
      service:
        namespace: my-namespace
        name: my-webhook
      caBundle: '<omitted>'
    # 每个 webhook 最多可以有 64 个 matchConditions
    matchConditions:
      - name: 'breakglass'
        # 跳过被授权在此 Webhook 上 'breakglass' 的用户发出的请求。
        # 'breakglass' API verb 不需要被排查在该检查之外。
        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'