In some cases you would need to trust custom CA certificates for all the containers of a Pod. It makes sense to be in a ConfigMap so that you can automount them by only setting an annotation. This policy adds a volume to all containers in a Pod containing the certificate if the annotation called `inject-certs` with value `enabled` is found.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-certificates-volumeannotations:policies.kyverno.io/title: Add Certificates as a Volumepolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Pod,Volumekyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: "1.21"policies.kyverno.io/minversion: 1.5.0pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSetpolicies.kyverno.io/description: In some cases you would need to trust custom CA certificates for all the containers of a Pod. It makes sense to be in a ConfigMap so that you can automount them by only setting an annotation. This policy adds a volume to all containers in a Pod containing the certificate if the annotation called `inject-certs` with value `enabled` is found.spec:background: falserules:- name: add-ssl-certsmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.object.metadata.annotations.\"inject-certs\" || \"\"}}"operator: Equalsvalue: enabled- key: "{{request.operation || 'BACKGROUND'}}"operator: AnyInvalue:- CREATE- UPDATEmutate:foreach:- list: request.object.spec.containerspatchStrategicMerge:spec:containers:- name: "{{ element.name }}"volumeMounts:- name: etc-ssl-certsmountPath: /etc/ssl/certsvolumes:- name: etc-ssl-certsconfigMap:name: ca-pemstore
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.