An Ingress may specify host names at a variety of locations in the same resource. In some cases, those host names should be modified to, for example, update domain names silently. The replacement must be done in all the fields where a host name can be specified. This policy, illustrating the use of nested foreach loops and operable in Kyverno 1.9+, replaces host names that end with `old.com` with `new.com`.
apiVersion: kyverno.io/v2beta1kind: ClusterPolicymetadata:name: replace-ingress-hostsannotations:policies.kyverno.io/title: Replace Ingress Hostspolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.9.0policies.kyverno.io/minversion: 1.9.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: Ingresspolicies.kyverno.io/description: An Ingress may specify host names at a variety of locations in the same resource. In some cases, those host names should be modified to, for example, update domain names silently. The replacement must be done in all the fields where a host name can be specified. This policy, illustrating the use of nested foreach loops and operable in Kyverno 1.9+, replaces host names that end with `old.com` with `new.com`.spec:background: falserules:- name: replace-old-with-newmatch:any:- resources:kinds:- Ingressmutate:foreach:- list: request.object.spec.rulespatchesJson6902: |-- path: /spec/rules/{{elementIndex}}/hostop: replacevalue: {{replace_all('{{element.host}}', '.old.com', '.new.com')}}- list: request.object.spec.tls[]foreach:- list: element.hostspatchesJson6902: |-- path: /spec/tls/{{elementIndex0}}/hosts/{{elementIndex1}}op: replacevalue: "{{ replace_all('{{element}}', '.old.com', '.new.com') }}"- list: request.object.spec.tls[]patchesJson6902: |-- path: /spec/tls/{{elementIndex}}/secretNameop: replacevalue: "{{ replace_all('{{element.secretName}}', '.old.com', '.new.com') }}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.