Containers running in Pods may sometimes need access to node-specific information on which the Pod has been scheduled. Scheduling decisions are made by kube-scheduler after the Pod has been persisted and so only at that time may the Node to which the Pod is bound can be fetched. The Kubernetes API allows specifically the projection of annotations from these Binding resources to the Pods which are their subject. This policy watches for then mutates the /binding subresource of a Pod to add an annotation named `foo` the value of which comes from the bound Node's label also called `foo`. Use of this policy may require removal of the Binding resourceFilter in Kyverno's ConfigMap.
apiVersion: kyverno.io/v2beta1kind: ClusterPolicymetadata:name: mutate-pod-bindingannotations:pod-policies.kyverno.io/autogen-controllers: nonepolicies.kyverno.io/title: Mutate Pod Bindingpolicies.kyverno.io/category: Otherpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.10.0policies.kyverno.io/minversion: 1.10.0kyverno.io/kubernetes-version: "1.26"policies.kyverno.io/description: Containers running in Pods may sometimes need access to node-specific information on which the Pod has been scheduled. Scheduling decisions are made by kube-scheduler after the Pod has been persisted and so only at that time may the Node to which the Pod is bound can be fetched. The Kubernetes API allows specifically the projection of annotations from these Binding resources to the Pods which are their subject. This policy watches for then mutates the /binding subresource of a Pod to add an annotation named `foo` the value of which comes from the bound Node's label also called `foo`. Use of this policy may require removal of the Binding resourceFilter in Kyverno's ConfigMap.spec:background: falserules:- name: project-foomatch:any:- resources:kinds:- Pod/bindingcontext:- name: nodevariable:jmesPath: request.object.target.namedefault: ""- name: foolabelapiCall:urlPath: /api/v1/nodes/{{node}}jmesPath: metadata.labels.foo || 'empty'mutate:patchStrategicMerge:metadata:annotations:foo: "{{ foolabel }}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.