CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-castai-removal-disabledannotations:policies.kyverno.io/title: Add CAST AI Removal Disabledpolicies.kyverno.io/category: CAST AIpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Job, CronJobkyverno.io/kyverno-version: "1.9"kyverno.io/kubernetes-version: "1.25"policies.kyverno.io/description: "CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled=\"true\" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction. "spec:rules:- name: do-not-evict-jobsmatch:any:- resources:kinds:- Jobmutate:patchStrategicMerge:spec:template:metadata:labels:autoscaling.cast.ai/removal-disabled: "true"- name: do-not-evict-cronjobsmatch:any:- resources:kinds:- CronJobmutate:patchStrategicMerge:spec:jobTemplate:spec:template:metadata:labels:autoscaling.cast.ai/removal-disabled: "true"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
This Policy mutates secretRef key to add a prefix. External Secret Operator proposes to use kyverno to force ExternalSecrets to have namespace prefix so that kubernetes administrators do not need to define permissions and users per namespace. Doing this developers are abstracted by administrators naming convention and will not be able to access secrets from other namespaces. In this example, in the JSON patch change "prefix-" to your preferred prefix. For example: {{ request.namespace }}