In restricted environments, Pods may not be allowed to egress directly to all destinations and some overrides to specific addresses may need to go through a corporate proxy. This policy adds proxy information to Pods in the form of environment variables. It will add the `env` array if not present. If any Pods have any of these env vars, they will be overwritten with the value(s) in this policy.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-pod-proxiesannotations:policies.kyverno.io/title: Add Pod Proxiespolicies.kyverno.io/subject: Podpolicies.kyverno.io/category: Samplepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: In restricted environments, Pods may not be allowed to egress directly to all destinations and some overrides to specific addresses may need to go through a corporate proxy. This policy adds proxy information to Pods in the form of environment variables. It will add the `env` array if not present. If any Pods have any of these env vars, they will be overwritten with the value(s) in this policy.spec:rules:- name: add-pod-proxiesmatch:any:- resources:kinds:- Podmutate:patchStrategicMerge:spec:containers:- (name): "*"env:- name: HTTP_PROXYvalue: http://proxy.corp.domain:8080- name: HTTPS_PROXYvalue: https://secureproxy.corp.domain:8080- name: NO_PROXYvalue: localhost,*.example.com
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.