All Policies

Label Nodes with CRI Runtime

CRI engines log in different formats. Loggers deployed as DaemonSets don't know which format to apply because they can't see this information. By Kyverno writing a label to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission to update Nodes.

Policy Definition

/other/label-nodes-cri/label-nodes-cri.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: label-nodes-cri
 5  annotations:
 6    policies.kyverno.io/title: Label Nodes with CRI Runtime
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Node, Label
10    kyverno.io/kyverno-version: 1.7.2
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      CRI engines log in different formats. Loggers deployed as DaemonSets don't know
15      which format to apply because they can't see this information. By Kyverno writing a label
16      to each node with its runtime, loggers can use node label selectors to know which parsing logic to use.
17      This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it.
18      The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission
19      to update Nodes.
20spec:
21  mutateExistingOnPolicyUpdate: true
22  rules:
23    - name: label-node-containerd
24      match:
25        any:
26        - resources:
27            kinds:
28            - Node
29      mutate:
30        targets:
31        - apiVersion: v1
32          kind: Node
33          name: "{{ request.object.metadata.name }}"
34        patchStrategicMerge:
35          metadata:
36            labels:
37              runtime: containerd
38          status:
39            nodeInfo:
40              <(containerRuntimeVersion): containerd*
41    - name: label-node-docker
42      match:
43        any:
44        - resources:
45            kinds:
46            - Node
47      mutate:
48        targets:
49        - apiVersion: v1
50          kind: Node
51          name: "{{ request.object.metadata.name }}"
52        patchStrategicMerge:
53          metadata:
54            labels:
55              runtime: docker
56          status:
57            nodeInfo:
58              <(containerRuntimeVersion): docker*
Create policy issue