Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp Vault, adds a volume and volumeMount to a Deployment if there is an annotation called "vault.k8s.corp.net/inject=enabled" present.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-volumeannotations:policies.kyverno.io/title: Add Volume to Deploymentpolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Deployment, Volumepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp Vault, adds a volume and volumeMount to a Deployment if there is an annotation called "vault.k8s.corp.net/inject=enabled" present.spec:rules:- name: add-volumematch:any:- resources:kinds:- Deploymentpreconditions:any:- key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}"operator: Equalsvalue: enabledmutate:patchesJson6902: |-- op: addpath: /spec/template/spec/volumes/-value:name: vault-secretemptyDir:medium: Memory- op: addpath: /spec/template/spec/containers/0/volumeMounts/-value:mountPath: /secretname: vault-secret
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.