The ndots value controls where DNS lookups are first performed in a cluster and needs to be set to a lower value than the default of 5 in some cases. This policy mutates all Pods to add the ndots option with a value of 1.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-ndotsannotations:policies.kyverno.io/title: Add ndotspolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: The ndots value controls where DNS lookups are first performed in a cluster and needs to be set to a lower value than the default of 5 in some cases. This policy mutates all Pods to add the ndots option with a value of 1.spec:rules:- name: add-ndotsmatch:any:- resources:kinds:- Podmutate:patchStrategicMerge:spec:dnsConfig:options:- name: ndotsvalue: "1"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.