Skip to content

Instantly share code, notes, and snippets.

@jenting

jenting/kyverno-mutate-policy.yaml

Last active March 18, 2025 23:54
Show Gist options
  • Save jenting/658834a0ef425edf3e69e6d1f7963790 to your computer and use it in GitHub Desktop.
Save jenting/658834a0ef425edf3e69e6d1f7963790 to your computer and use it in GitHub Desktop.
Download ZIP
Deny App CR update status.reconciledAt
Raw
kyverno-mutate-policy.yaml
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: drop-reconciledat-only-update
namespace: your-namespace # Replace with your target namespace
spec:
mutateExistingOnPolicyUpdate: false # Only mutate admission requests, not existing resources
rules:
- name: drop-reconciledat-only-update
match:
any:
- resources:
kinds:
- Application # Targeting the Application CR
operations:
- UPDATE # Only checking UPDATE operations
mutate:
patchesJson6902: |
- op: remove
path: "/status/reconciledAt"
Raw
kyverno-validate-policy.yaml
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: deny-application-only-update-status-reconciledat
namespace: argocd
spec:
validationFailureAction: Enforce
background: false
rules:
- name: deny-application-only-update-status-reconciledat
match:
any:
- resources:
kinds:
- Application
operations:
- UPDATE
validate:
message: "Updating Application is denied unless only status.reconciledAt changes."
deny:
conditions:
all:
# Condition 1: status.reconciledAt has changed
- key: "{{ request.object.status.reconciledAt || '' }}"
operator: "NotEquals"
value: "{{ request.oldObject.status.reconciledAt || '' }}"
# Condition 2: All other fields in request.object.status remain the same
- key: "{{ request.object }}"
operator: "NotEquals"
value: "{{ request.oldObject }}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment