Container images which use metadata such as the LABEL directive in a Dockerfile do not surface this information to apps running within. In some cases, running the image as a container may need access to this information. This policy injects the value of a label set in a Dockerfile named `maintainer` as an environment variable to the corresponding container in the Pod.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: inject-env-var-from-image-labelannotations:policies.kyverno.io/title: Inject Env Var from Image Labelpolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpod-policies.kyverno.io/autogen-controllers: nonekyverno.io/kyverno-version: 1.6.0policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Container images which use metadata such as the LABEL directive in a Dockerfile do not surface this information to apps running within. In some cases, running the image as a container may need access to this information. This policy injects the value of a label set in a Dockerfile named `maintainer` as an environment variable to the corresponding container in the Pod.spec:rules:- name: add-env-maintainermatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEmutate:foreach:- list: request.object.spec.containerscontext:- name: maintainerimageRegistry:reference: "{{ element.image }}"jmesPath: configData.config.Labels.maintainer || ''preconditions:all:- key: "{{maintainer}}"operator: NotEqualsvalue: ""patchesJson6902: |-- op: addpath: "/spec/containers/{{elementIndex}}/env/-"value:name: MAINTAINERvalue: "{{maintainer}}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.