All Policies

Refresh Volumes in Pods

Although ConfigMaps and Secrets mounted as volumes to a Pod, when the contents change, will eventually propagate to the Pods mounting them, this process may take between 60-90 seconds. In order to reduce that time, a modification made to downstream Pods will cause the changes to take effect almost instantly. This policy watches for changes to ConfigMaps which have been marked for this quick reloading process which contain the label `kyverno.io/watch=true` and will write an annotation to any Pods which mount them as volumes causing a fast refresh in their contents. See the related policy entitled "Refresh Environment Variables in Pods" for a similar reloading process when ConfigMaps and Secrets are consumed as environment variables instead. Use of this policy may require providing the Kyverno ServiceAccount with permission to update Pods.

Policy Definition

/other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: refresh-volumes-in-pods
 5  annotations:
 6    policies.kyverno.io/title: Refresh Volumes in Pods
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod,ConfigMap
10    kyverno.io/kyverno-version: 1.9.0
11    policies.kyverno.io/minversion: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      Although ConfigMaps and Secrets mounted as volumes to a Pod, when the contents change,
15      will eventually propagate to the Pods mounting them, this process may take between 60-90 seconds.
16      In order to reduce that time, a modification made to downstream Pods will cause the changes
17      to take effect almost instantly. This policy watches for changes to ConfigMaps which have been
18      marked for this quick reloading process which contain the label `kyverno.io/watch=true` and
19      will write an annotation to any Pods which mount them as volumes causing a fast refresh in their
20      contents. See the related policy entitled "Refresh Environment Variables in Pods" for a similar
21      reloading process when ConfigMaps and Secrets are consumed as environment variables instead.
22      Use of this policy may require providing the Kyverno ServiceAccount with permission
23      to update Pods.
24spec:
25  mutateExistingOnPolicyUpdate: false
26  rules:
27  - name: refresh-from-configmap-volume
28    match:
29      any:
30      - resources:
31          kinds:
32          - ConfigMap
33          selector:
34            matchLabels:
35              kyverno.io/watch: "true"
36    preconditions:
37      all:
38      - key: "{{ request.operation }}"
39        operator: Equals
40        value: UPDATE
41    mutate:
42      targets:
43        - apiVersion: v1
44          kind: Pod
45          namespace: "{{ request.namespace }}"
46      patchStrategicMerge:
47        metadata:
48          annotations:
49            corp.org/random: "{{ random('[0-9a-z]{8}') }}"
50        spec:
51          volumes:
52          - configMap:
53              <(name): "{{ request.object.metadata.name }}"
Create policy issue