Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull those images on behalf of your Pod. This policy searches for images coming from a registry called `corp.reg.com` referenced by either one of the containers or one of the init containers and, if found, will mutate the Pod to add an imagePullSecret called `my-secret`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-imagepullsecrets-for-containers-and-initcontainersannotations:policies.kyverno.io/title: Add imagePullSecrets for Containers and InitContainerspolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0kyverno.io/kyverno-version: 1.6.2kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull those images on behalf of your Pod. This policy searches for images coming from a registry called `corp.reg.com` referenced by either one of the containers or one of the init containers and, if found, will mutate the Pod to add an imagePullSecret called `my-secret`.spec:rules:- name: add-imagepullsecretmatch:any:- resources:kinds:- Podpreconditions:any:- key: corp.reg.comoperator: AnyInvalue: "{{ images.initContainers.*.registry || `[]` }}"- key: corp.reg.comoperator: AnyInvalue: "{{ images.containers.*.registry }}"mutate:patchStrategicMerge:spec:imagePullSecrets:- name: my-secret
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.