Add Volume to Deployment

Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp Vault, adds a volume and volumeMount to a Deployment if there is an annotation called "vault.k8s.corp.net/inject=enabled" present.

Policy Definition

/other/add-volume-deployment/add-volume-deployment.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-volume
 5  annotations:
 6    policies.kyverno.io/title: Add Volume to Deployment
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Deployment, Volume
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      Some Kubernetes applications like HashiCorp Vault must perform some modifications
12      to resources in order to invoke their specific functionality. Often times, that functionality
13      is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp
14      Vault, adds a volume and volumeMount to a Deployment if there is an annotation called
15      "vault.k8s.corp.net/inject=enabled" present.
16spec:
17  rules:
18  - name: add-volume
19    match:
20      any:
21      - resources:
22          kinds:
23          - Deployment
24    preconditions:
25      any:
26      - key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}"
27        operator: Equals
28        value: enabled
29    mutate:
30      patchesJson6902: |-
31        - op: add
32          path: /spec/template/spec/volumes/-
33          value:
34            name: vault-secret
35            emptyDir:
36              medium: Memory
37        - op: add
38          path: /spec/template/spec/containers/0/volumeMounts/-
39          value:
40            mountPath: /secret
41            name: vault-secret

Create policy issue