All Policies

Add scheduled Node's labels to a Pod

Containers running in Pods may sometimes need access to node-specific information on which the Pod has been scheduled. A common use case is node topology labels to ensure pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding policy already does this for annotations, but it does not handle labels. A useful use case is for passing metric label information to ServiceMonitors and then into Prometheus. This policy watches for Pod binding events when the pod is scheduled and then asynchronously mutates the existing Pod to add the labels. This policy requires the following changes to common default configurations: - The kyverno resourceFilter should not filter Pod/binding resources. - The kyverno backgroundController service account requires Update permission on pods. It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

Policy Definition

/other/add-node-labels-pod/add-node-labels-pod.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-node-labels-pod
 5  annotations:
 6    pod-policies.kyverno.io/autogen-controllers: none
 7    policies.kyverno.io/title: Add scheduled Node's labels to a Pod
 8    policies.kyverno.io/category: Other
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.10.0
11    policies.kyverno.io/minversion: 1.10.0
12    kyverno.io/kubernetes-version: "1.26"
13    policies.kyverno.io/description: >-
14      Containers running in Pods may sometimes need access to node-specific information on 
15      which the Pod has been scheduled. A common use case is node topology labels to ensure 
16      pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding
17      policy already does this for annotations, but it does not handle labels. A useful use
18      case is for passing metric label information to ServiceMonitors and then into Prometheus.
19      This policy watches for Pod binding events when the pod is scheduled and then 
20      asynchronously mutates the existing Pod to add the labels.
21      This policy requires the following changes to common default configurations:
22      - The kyverno resourceFilter should not filter Pod/binding resources.
23      - The kyverno backgroundController service account requires Update permission on pods. 
24      It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles       
25spec:
26  rules:
27    - name: project-foo
28      match:
29        any:
30        - resources:
31            kinds:
32            - Pod/binding
33      context:
34      - name: node
35        variable:
36          jmesPath: request.object.target.name
37          default: ''
38      - name: foolabel
39        apiCall:
40          urlPath: "/api/v1/nodes/{{node}}"
41          jmesPath: "metadata.labels.foo || 'empty'"
42      mutate:
43        targets:
44        - apiVersion: v1
45          kind: Pod
46          name: "{{ request.object.metadata.name }}"
47          namespace: "{{ request.object.metadata.namespace }}"
48        patchStrategicMerge:
49          metadata:
50            labels: 
51              foo: "{{ foolabel }}"
Create policy issue