For use cases like sidecar injection, it is often the case where existing Deployments need the sidecar image updated without destroying the whole Deployment or Pods. This policy updates the image tag on containers named vault-agent for existing Deployments which have the annotation vault.hashicorp.com/agent-inject="true". It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.
apiVersion: policies.kyverno.io/v1alpha1kind: MutatingPolicymetadata:name: update-image-tagannotations:policies.kyverno.io/title: Update Image Tagpolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Deploymentpolicies.kyverno.io/description: For use cases like sidecar injection, it is often the case where existing Deployments need the sidecar image updated without destroying the whole Deployment or Pods. This policy updates the image tag on containers named vault-agent for existing Deployments which have the annotation vault.hashicorp.com/agent-inject="true". It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.spec:evaluation:admission:enabled: truemutateExisting:enabled: truematchConstraints:resourceRules:- apiGroups:- appsapiVersions:- v1resources:- deploymentsoperations:- CREATE- UPDATEmatchConditions:- name: has-vault-inject-annotationexpression: has(object.metadata.annotations) && object.metadata.annotations['vault.hashicorp.com/agent-inject'] == 'true'variables:- name: containersexpression: object.spec.template.spec.containers- name: vaultAgentIndexexpression: variables.containers.map(c, c.name).indexOf('vault-agent')- name: hasVaultAgentexpression: variables.vaultAgentIndex >= 0mutations:- patchType: JSONPatchjsonPatch:expression: |-variables.hasVaultAgent ? [JSONPatch{op: "replace",path: "/spec/template/spec/containers/" + string(variables.vaultAgentIndex) + "/image",value: "vault:1.5.4"}] : []
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.