All Policies
Inject Sidecar Container
The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`.
Policy Definition
/other/inject-sidecar-deployment/inject-sidecar-deployment.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: inject-sidecar
5 annotations:
6 policies.kyverno.io/title: Inject Sidecar Container
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/subject: Deployment,Volume
9 policies.kyverno.io/minversion: 1.6.0
10 policies.kyverno.io/description: >-
11 The sidecar pattern is very common in Kubernetes whereby other applications can
12 insert components via tacit modification of a submitted resource. This is, for example,
13 often how service meshes and secrets applications are able to function transparently.
14 This policy injects a sidecar container, initContainer, and volume into Pods that match
15 an annotation called `vault.hashicorp.com/agent-inject: true`.
16spec:
17 rules:
18 - name: inject-sidecar
19 match:
20 any:
21 - resources:
22 kinds:
23 - Deployment
24 mutate:
25 patchStrategicMerge:
26 spec:
27 template:
28 metadata:
29 annotations:
30 (vault.hashicorp.com/agent-inject): "true"
31 spec:
32 containers:
33 - name: vault-agent
34 image: vault:1.5.4
35 imagePullPolicy: IfNotPresent
36 volumeMounts:
37 - mountPath: /vault/secrets
38 name: vault-secret
39 initContainers:
40 - name: vault-agent-init
41 image: vault:1.5.4
42 imagePullPolicy: IfNotPresent
43 volumeMounts:
44 - mountPath: /vault/secrets
45 name: vault-secret
46 volumes:
47 - name: vault-secret
48 emptyDir:
49 medium: Memory