A base image used to construct a container image is not accessible by any Kubernetes component and not a field in a Pod spec as it must be fetched from a registry. Having this information available in the resource referencing the containers helps to provide a clearer understanding of its contents. This policy adds an annotation to a Pod or its controllers with the base image used for each container if present in an OCI annotation.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: annotate-base-imagesannotations:policies.kyverno.io/title: Annotate Base Imagespolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpod-policies.kyverno.io/autogen-controllers: nonekyverno.io/kyverno-version: 1.7.0policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: A base image used to construct a container image is not accessible by any Kubernetes component and not a field in a Pod spec as it must be fetched from a registry. Having this information available in the resource referencing the containers helps to provide a clearer understanding of its contents. This policy adds an annotation to a Pod or its controllers with the base image used for each container if present in an OCI annotation.spec:rules:- name: mutate-base-imagematch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEmutate:foreach:- list: request.object.spec.containerscontext:- name: imageDataimageRegistry:reference: "{{ element.image }}"- name: basenamevariable:jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"default: ""patchesJson6902: |-- path: "/metadata/annotations/kyverno.io~1baseimages{{elementIndex}}"op: addvalue: "{{basename}}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.