It is often needed to make decisions for resources based upon the version of the Kubernetes API server in the cluster. This policy serves as an example for how to retrieve the minor version of the Kubernetes API server and subsequently use in a policy behavior. It will mutate a Secret upon its creation with a label called `apiminorversion` the value of which is the minor version of the API server.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: kubernetes-version-checkannotations:policies.kyverno.io/title: Kubernetes Version Checkpolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Secretkyverno.io/kyverno-version: 1.8.0-rc2policies.kyverno.io/minversion: 1.8.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/description: It is often needed to make decisions for resources based upon the version of the Kubernetes API server in the cluster. This policy serves as an example for how to retrieve the minor version of the Kubernetes API server and subsequently use in a policy behavior. It will mutate a Secret upon its creation with a label called `apiminorversion` the value of which is the minor version of the API server.spec:rules:- name: test-ver-vermatch:any:- resources:kinds:- Secretpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: Equalsvalue: CREATEcontext:- name: minorversionapiCall:urlPath: /versionjmesPath: minormutate:patchStrategicMerge:metadata:labels:apiminorversion: "{{minorversion}}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.