All Policies
Add Volume to Deployment
Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp Vault, adds a volume and volumeMount to a Deployment if there is an annotation called "vault.k8s.corp.net/inject=enabled" present.
Policy Definition
/other/add_volume_deployment.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-volume
5 annotations:
6 policies.kyverno.io/title: Add Volume to Deployment
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/subject: Deployment, Volume
9 policies.kyverno.io/description: >-
10 Some Kubernetes applications like HashiCorp Vault must perform some modifications
11 to resources in order to invoke their specific functionality. Often times, that functionality
12 is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp
13 Vault, adds a volume and volumeMount to a Deployment if there is an annotation called
14 "vault.k8s.corp.net/inject=enabled" present.
15spec:
16 background: false
17 rules:
18 - name: add-volume
19 match:
20 resources:
21 kinds:
22 - Deployment
23 preconditions:
24 - key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}"
25 operator: Equals
26 value: "enabled"
27 mutate:
28 patchesJson6902: |-
29 - op: add
30 path: /spec/template/spec/volumes
31 value: [{"name": "vault-secret","emptyDir": {"medium": "Memory"}}]
32 - op: add
33 path: /spec/template/spec/containers/0/volumeMounts
34 value: [{"mountPath": "/secret","name": "vault-secret"}]