All Policies

Refresh Environment Variables in Pods

When Pods consume Secrets or ConfigMaps through environment variables, should the contents of those source resources change, the downstream Pods are normally not aware of them. In order for the changes to be reflected, Pods must either restart or be respawned. This policy watches for changes to Secrets which have been marked for this refreshing process which contain the label `kyverno.io/watch=true` and will write an annotation to any Deployment Pod template which consume them as env vars. This will result in a new rollout of Pods which will pick up the changed values. See the related policy entitled "Refresh Volumes in Pods" for a similar reloading process when ConfigMaps and Secrets are consumed as volumes instead. Use of this policy may require providing the Kyverno ServiceAccount with permission to update Deployments.

Policy Definition

/other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: refresh-env-var-in-pods
 5  annotations:
 6    policies.kyverno.io/title: Refresh Environment Variables in Pods
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod,Deployment,Secret
10    kyverno.io/kyverno-version: 1.9.0
11    policies.kyverno.io/minversion: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      When Pods consume Secrets or ConfigMaps through environment variables, should the contents
15      of those source resources change, the downstream Pods are normally not aware of them. In order
16      for the changes to be reflected, Pods must either restart or be respawned. This policy watches
17      for changes to Secrets which have been marked for this refreshing process which contain the label
18      `kyverno.io/watch=true` and will write an annotation to any Deployment Pod template which consume
19      them as env vars. This will result in a new rollout of Pods which will pick up the changed values.
20      See the related policy entitled "Refresh Volumes in Pods" for a similar reloading process when ConfigMaps
21      and Secrets are consumed as volumes instead. Use of this policy may require providing the Kyverno ServiceAccount
22      with permission to update Deployments.
23spec:
24  mutateExistingOnPolicyUpdate: false
25  rules:
26  - name: refresh-from-secret-env
27    match:
28      any:
29      - resources:
30          kinds:
31          - Secret
32          selector:
33            matchLabels:
34              kyverno.io/watch: "true"
35    preconditions:
36      all:
37      - key: "{{request.operation}}"
38        operator: Equals
39        value: UPDATE
40    mutate:
41      targets:
42        - apiVersion: apps/v1
43          kind: Deployment
44          namespace: "{{request.namespace}}"
45      patchStrategicMerge:
46        spec:
47          template:
48            metadata:
49              annotations:
50                corp.org/random: "{{ random('[0-9a-z]{8}') }}"
51            spec:
52              containers:
53              - env:
54                - valueFrom:
55                    secretKeyRef:
56                      <(name): "{{ request.object.metadata.name }}"
Create policy issue