Skip to content

[Enhancement] Add docs for mutateExisting policies #520

New issue
New issue
Closed
#540
Closed
[Enhancement] Add docs for mutateExisting policies#520
#540
Assignees
realshuting
Labels
enhancementNew feature or request
Milestone
1.7.0
@realshuting

Description

@realshuting
realshuting
opened on Apr 25, 2022

Description

KDP: kyverno/KDP#4.
Implementation: kyverno/kyverno#3669.

To highlight this feature:

  • the mutateExisting policy will be triggered on trigger resource or policy updates (CREATION, UPDATE, DELETE)
  • the annotation policies.kyverno.io/last-applied-patches will be added to the target resource indicating the last applied patches
  • an event will be generated for policy application
3h57m       Normal    PolicyApplied       secret/test-secret-1                policy test-post-mutation/mutate-deploy-on-configmap-update applied to Secret/staging/test-secret-1 successfully
  • support in-place variable @ and target. to reference target resource's data

A note on this:

  • the permissions need to be granted to Kyverno service account properly, like how generate works. Currently, there's no default ClusterRole and ClusterRoleBinding in Kyverno blueprint as Kubernetes doesn't allow "empty" ClusterRole.
  • variables are not supported for foreach rules

A few sample policies for testing:

  1. add a label to the existing secret using patchStrategicMerge:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "test-post-mutation"
spec:
  rules:
    - name: "mutate-deploy-on-configmap-update"
      match:
        any:
        - resources:
            kinds:
            - ConfigMap
            names:
            - dictionary-1
            namespaces:
            - staging
      preconditions:
        any:
        - key: "{{ request.operation }}"
          operator: Equals
          value: DELETE
      mutate:
        targets:
        - apiVersion: v1
          kind: Secret
          name: test-secret-1
          namespace: "{{ request.object.metadata.namespace }}"
        patchStrategicMerge:
          metadata:
            labels:
              foo: bar
  1. add a label defined with a JMESpath variable using JSON patch:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "test-post-mutation"
spec:
  rules:
    - name: "mutate-deploy-on-configmap-update"
      match:
        any:
        - resources:
            kinds:
            - ConfigMap
            names:
            - dictionary-1
            namespaces:
            - staging
      preconditions:
        any:
        - key: "{{ request.operation }}"
          operator: Equals
          value: DELETE
      mutate:
        targets:
        - apiVersion: v1
          kind: Secret
          name: test-secret-1
          namespace: "{{ request.object.metadata.namespace }}"
        patchStrategicMerge:
          patchesJson6902: |-
            - op: add
              path: "/metadata/labels/env"
              value: "{{ request.userInfo.username }}"
  1. restart the deployment's pod on configmap updates:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "test-post-mutation"
spec:
  rules:
    - name: "mutate-deploy"
      match:
        any:
        - resources:
            kinds:
            - ConfigMap
            names:
            - dictionary-1
            namespaces:
            - staging
      mutate:
        targets:
        - apiVersion: apps/v1
          kind: Deployment
          name: test-deploy
          namespace: staging
        patchStrategicMerge:
          spec:
            template:
              metadata:
                annotations:
                  kyverno.io/since-last-update: "{{ time_since('', '{{ request.object.metadata.creationTimestamp }}', '') }}"

Slack discussion

No response

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions