Some registries like Harbor offer pull-through caches for images from certain registries. Images can be re-written to be pulled from the redirected registry instead of the original and the registry will proxy pull the image, adding it to its internal cache. The imageData context variable in this policy provides a normalized view of the container image, allowing the policy to make decisions based on various "live" image details. As a result, it requires access to the source registry and the existence of the target image to verify those details.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: replace-image-registry-with-harborannotations:policies.kyverno.io/title: Replace Image Registry With Harborpod-policies.kyverno.io/autogen-controllers: nonepolicies.kyverno.io/category: Samplepolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.11.4kyverno.io/kubernetes-version: "1.27"policies.kyverno.io/description: Some registries like Harbor offer pull-through caches for images from certain registries. Images can be re-written to be pulled from the redirected registry instead of the original and the registry will proxy pull the image, adding it to its internal cache. The imageData context variable in this policy provides a normalized view of the container image, allowing the policy to make decisions based on various "live" image details. As a result, it requires access to the source registry and the existence of the target image to verify those details.spec:rules:- name: redirect-dockermatch:any:- resources:kinds:- Podoperations:- CREATE- UPDATEmutate:foreach:- list: request.object.spec.initContainers[]context:- name: imageDataimageRegistry:reference: "{{ element.image }}"preconditions:any:- key: "{{imageData.registry}}"operator: Equalsvalue: index.docker.iopatchStrategicMerge:spec:initContainers:- name: "{{ element.name }}"image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}- list: request.object.spec.containers[]context:- name: imageDataimageRegistry:reference: "{{ element.image }}"preconditions:any:- key: "{{imageData.registry}}"operator: Equalsvalue: index.docker.iopatchStrategicMerge:spec:containers:- name: "{{ element.name }}"image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.