The ndots value controls where DNS lookups are first performed in a cluster and needs to be set to a lower value than the default of 5 in some cases. This policy mutates all Pods to set the ndots option to a value of 1, replacing any existing value.
apiVersion: policies.kyverno.io/v1alpha1kind: MutatingPolicymetadata:name: add-ndotsannotations:policies.kyverno.io/title: Add ndotspolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: The ndots value controls where DNS lookups are first performed in a cluster and needs to be set to a lower value than the default of 5 in some cases. This policy mutates all Pods to set the ndots option to a value of 1, replacing any existing value.spec:matchConstraints:resourceRules:- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- pods- apiGroups:- appsapiVersions:- v1operations:- CREATE- UPDATEresources:- deployments- daemonsets- statefulsets- apiGroups:- batchapiVersions:- v1operations:- CREATE- UPDATEresources:- jobs- cronjobsmutations:- patchType: JSONPatchjsonPatch:expression: |object.kind == "Pod" &&has(object.spec.dnsConfig) &&has(object.spec.dnsConfig.options) &&object.spec.dnsConfig.options.exists(opt, opt.name == "ndots") ?[JSONPatch{op: "remove",path: "/spec/dnsConfig/options/" + string(object.spec.dnsConfig.options.map(opt, opt.name).indexOf("ndots"))}] : []- patchType: JSONPatchjsonPatch:expression: |object.kind == "Pod" ?(has(object.spec.dnsConfig) && has(object.spec.dnsConfig.options) ?[JSONPatch{op: "add",path: "/spec/dnsConfig/options/-",value: {"name": "ndots", "value": "1"}}] :(has(object.spec.dnsConfig) ?[JSONPatch{op: "add",path: "/spec/dnsConfig/options",value: [{"name": "ndots", "value": "1"}]}] :[JSONPatch{op: "add",path: "/spec/dnsConfig",value: {"options": [{"name": "ndots", "value": "1"}]}}])) : []- patchType: JSONPatchjsonPatch:expression: |object.kind in ["Deployment", "DaemonSet", "StatefulSet"] &&has(object.spec.template.spec.dnsConfig) &&has(object.spec.template.spec.dnsConfig.options) &&object.spec.template.spec.dnsConfig.options.exists(opt, opt.name == "ndots") ?[JSONPatch{op: "remove",path: "/spec/template/spec/dnsConfig/options/" + string(object.spec.template.spec.dnsConfig.options.map(opt, opt.name).indexOf("ndots"))}] : []- patchType: JSONPatchjsonPatch:expression: |object.kind in ["Deployment", "DaemonSet", "StatefulSet"] ?(has(object.spec.template.spec.dnsConfig) && has(object.spec.template.spec.dnsConfig.options) ?[JSONPatch{op: "add",path: "/spec/template/spec/dnsConfig/options/-",value: {"name": "ndots", "value": "1"}}] :(has(object.spec.template.spec.dnsConfig) ?[JSONPatch{op: "add",path: "/spec/template/spec/dnsConfig/options",value: [{"name": "ndots", "value": "1"}]}] :[JSONPatch{op: "add",path: "/spec/template/spec/dnsConfig",value: {"options": [{"name": "ndots", "value": "1"}]}}])) : []- patchType: JSONPatchjsonPatch:expression: |object.kind == "Job" &&has(object.spec.template.spec.dnsConfig) &&has(object.spec.template.spec.dnsConfig.options) &&object.spec.template.spec.dnsConfig.options.exists(opt, opt.name == "ndots") ?[JSONPatch{op: "remove",path: "/spec/template/spec/dnsConfig/options/" + string(object.spec.template.spec.dnsConfig.options.map(opt, opt.name).indexOf("ndots"))}] : []- patchType: JSONPatchjsonPatch:expression: |object.kind == "Job" ?(has(object.spec.template.spec.dnsConfig) && has(object.spec.template.spec.dnsConfig.options) ?[JSONPatch{op: "add",path: "/spec/template/spec/dnsConfig/options/-",value: {"name": "ndots", "value": "1"}}] :(has(object.spec.template.spec.dnsConfig) ?[JSONPatch{op: "add",path: "/spec/template/spec/dnsConfig/options",value: [{"name": "ndots", "value": "1"}]}] :[JSONPatch{op: "add",path: "/spec/template/spec/dnsConfig",value: {"options": [{"name": "ndots", "value": "1"}]}}])) : []- patchType: JSONPatchjsonPatch:expression: |object.kind == "CronJob" &&has(object.spec.jobTemplate.spec.template.spec.dnsConfig) &&has(object.spec.jobTemplate.spec.template.spec.dnsConfig.options) &&object.spec.jobTemplate.spec.template.spec.dnsConfig.options.exists(opt, opt.name == "ndots") ?[JSONPatch{op: "remove",path: "/spec/jobTemplate/spec/template/spec/dnsConfig/options/" + string(object.spec.jobTemplate.spec.template.spec.dnsConfig.options.map(opt, opt.name).indexOf("ndots"))}] : []- patchType: JSONPatchjsonPatch:expression: |object.kind == "CronJob" ?(has(object.spec.jobTemplate.spec.template.spec.dnsConfig) && has(object.spec.jobTemplate.spec.template.spec.dnsConfig.options) ?[JSONPatch{op: "add",path: "/spec/jobTemplate/spec/template/spec/dnsConfig/options/-",value: {"name": "ndots", "value": "1"}}] :(has(object.spec.jobTemplate.spec.template.spec.dnsConfig) ?[JSONPatch{op: "add",path: "/spec/jobTemplate/spec/template/spec/dnsConfig/options",value: [{"name": "ndots", "value": "1"}]}] :[JSONPatch{op: "add",path: "/spec/jobTemplate/spec/template/spec/dnsConfig",value: {"options": [{"name": "ndots", "value": "1"}]}}])) : []
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.