All Policies
Inject Sidecar Container
The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`.
Policy Definition
/other/inject_sidecar_deployment.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: inject-sidecar
5 annotations:
6 policies.kyverno.io/title: Inject Sidecar Container
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 The sidecar pattern is very common in Kubernetes whereby other applications can
11 insert components via tacit modification of a submitted resource. This is, for example,
12 often how service meshes and secrets applications are able to function transparently.
13 This policy injects a sidecar container, initContainer, and volume into Pods that match
14 an annotation called `vault.hashicorp.com/agent-inject: true`.
15spec:
16 background: false
17 rules:
18 - name: inject-sidecar
19 match:
20 resources:
21 kinds:
22 - Deployment
23 mutate:
24 patchStrategicMerge:
25 spec:
26 template:
27 metadata:
28 annotations:
29 (vault.hashicorp.com/agent-inject): "true"
30 spec:
31 containers:
32 - name: vault-agent
33 image: vault:1.5.4
34 imagePullPolicy: IfNotPresent
35 volumeMounts:
36 - mountPath: /vault/secrets
37 name: vault-secret
38 initContainers:
39 - name: vault-agent-init
40 image: vault:1.5.4
41 imagePullPolicy: IfNotPresent
42 volumeMounts:
43 - mountPath: /vault/secrets
44 name: vault-secret
45 volumes:
46 - name: vault-secret
47 emptyDir:
48 medium: Memory
49