The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: inject-sidecarannotations:policies.kyverno.io/title: Inject Sidecar Containerpolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Deployment,Volumepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: "The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`."spec:rules:- name: inject-sidecarmatch:any:- resources:kinds:- Deploymentmutate:patchStrategicMerge:spec:template:metadata:annotations:(vault.hashicorp.com/agent-inject): "true"spec:containers:- name: vault-agentimage: vault:1.5.4imagePullPolicy: IfNotPresentvolumeMounts:- mountPath: /vault/secretsname: vault-secretinitContainers:- name: vault-agent-initimage: vault:1.5.4imagePullPolicy: IfNotPresentvolumeMounts:- mountPath: /vault/secretsname: vault-secretvolumes:- name: vault-secretemptyDir:medium: Memory
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.