CRI engines log in different formats. Loggers deployed as DaemonSets don't know which format to apply because they can't see this information. By Kyverno writing a label to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission to update Nodes.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: label-nodes-criannotations:policies.kyverno.io/title: Label Nodes with CRI Runtimepolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Node, Labelkyverno.io/kyverno-version: 1.7.2policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: CRI engines log in different formats. Loggers deployed as DaemonSets don't know which format to apply because they can't see this information. By Kyverno writing a label to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission to update Nodes.spec:mutateExistingOnPolicyUpdate: truerules:- name: label-node-containerdmatch:any:- resources:kinds:- Nodemutate:targets:- apiVersion: v1kind: Nodename: "{{ request.object.metadata.name }}"patchStrategicMerge:metadata:labels:runtime: containerdstatus:nodeInfo:<(containerRuntimeVersion): containerd*- name: label-node-dockermatch:any:- resources:kinds:- Nodemutate:targets:- apiVersion: v1kind: Nodename: "{{ request.object.metadata.name }}"patchStrategicMerge:metadata:labels:runtime: dockerstatus:nodeInfo:<(containerRuntimeVersion): docker*
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.