It is common for Namespaced resources to need access to labels which have been assigned to the Namespace in which they reside. This policy demonstrates two different ways of assigning Namespace labels to a Deployment. The first method copies only the `owner` label while the second copies all labels except for `kubernetes.io/metadata.name`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: copy-namespace-labelsannotations:policies.kyverno.io/title: Copy Namespace Labelspolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Deployment, Label, Namespacekyverno.io/kyverno-version: 1.11.1kyverno.io/kubernetes-version: "1.27"policies.kyverno.io/description: It is common for Namespaced resources to need access to labels which have been assigned to the Namespace in which they reside. This policy demonstrates two different ways of assigning Namespace labels to a Deployment. The first method copies only the `owner` label while the second copies all labels except for `kubernetes.io/metadata.name`.spec:rules:- name: owner-label-deployment-from-nsmatch:any:- resources:kinds:- Deploymentoperations:- CREATEcontext:- name: ownerapiCall:urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }}jmesPath: metadata.labels.owner || 'empty'mutate:patchStrategicMerge:metadata:labels:owner: "{{ owner }}"- name: all-label-deployment-from-nsmatch:any:- resources:kinds:- Deploymentoperations:- CREATEcontext:- name: alllabelsapiCall:urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }}jmesPath: metadata.labels | merge(@, {"kubernetes.io/metadata.name":null})mutate:patchStrategicMerge:metadata:labels: "{{ alllabels }}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.