The nodeSelector field uses labels to select the node on which a Pod can be scheduled. This can be useful when Pods have specific needs that only certain nodes in a cluster can provide. This policy adds the nodeSelector field to a Pod spec and configures it with labels `foo` and `color`.
apiVersion: policies.kyverno.io/v1alpha1kind: MutatingPolicymetadata:name: add-nodeselectorannotations:policies.kyverno.io/title: Add nodeSelectorpolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.15.0policies.kyverno.io/description: The nodeSelector field uses labels to select the node on which a Pod can be scheduled. This can be useful when Pods have specific needs that only certain nodes in a cluster can provide. This policy adds the nodeSelector field to a Pod spec and configures it with labels `foo` and `color`.spec:matchConstraints:resourceRules:- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- pods- apiGroups:- appsapiVersions:- v1operations:- CREATE- UPDATEresources:- deployments- daemonsets- statefulsets- apiGroups:- batchapiVersions:- v1operations:- CREATE- UPDATEresources:- jobs- cronjobsmutations:- patchType: JSONPatchjsonPatch:expression: |!has(object.spec.nodeSelector) ?[JSONPatch{op: "add",path: "/spec/nodeSelector",value: dyn({"foo": "bar", "color": "orange"})}] :[JSONPatch{op: "add",path: "/spec/nodeSelector/foo",value: "bar"},JSONPatch{op: "add",path: "/spec/nodeSelector/color",value: "orange"}]- patchType: JSONPatchjsonPatch:expression: |has(object.spec.template) ?(!has(object.spec.template.spec.nodeSelector) ?[JSONPatch{op: "add",path: "/spec/template/spec/nodeSelector",value: dyn({"foo": "bar", "color": "orange"})}] :[JSONPatch{op: "add",path: "/spec/template/spec/nodeSelector/foo",value: "bar"},JSONPatch{op: "add",path: "/spec/template/spec/nodeSelector/color",value: "orange"}]) : []- patchType: JSONPatchjsonPatch:expression: |has(object.spec.jobTemplate) ?(!has(object.spec.jobTemplate.spec.template.spec.nodeSelector) ?[JSONPatch{op: "add",path: "/spec/jobTemplate/spec/template/spec/nodeSelector",value: dyn({"foo": "bar", "color": "orange"})}] :[JSONPatch{op: "add",path: "/spec/jobTemplate/spec/template/spec/nodeSelector/foo",value: "bar"},JSONPatch{op: "add",path: "/spec/jobTemplate/spec/template/spec/nodeSelector/color",value: "orange"}]) : []
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.