diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index 74fee2946d..19110511e3 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -35,13 +35,13 @@ spec : kinds: - Deployment mutate: - patches: - - path: "/spec/template/spec/initContainers/0/" - op: add - value: - - image: "nirmata.io/kube-vault-client:v2" - name: "init-secrets" - + overlay: + spec: + template: + spec: + initContainers: + - name: init-secrets + image: nirmata.io/kube-vault-client:v2 ```` Here is the example of a patch that removes a label from the secret: @@ -178,25 +178,30 @@ A variation of an anchor, is to add a field value if it is not already defined. An `add anchor` is processed as part of applying the mutation. Typically, every non-anchor tag-value is applied as part of the mutation. If the `add anchor` is set on a tag, the tag and value are only applied if they do not exist in the resource. -For example, this overlay will set the port to 6443, if a port is not already defined: +For example, this policy matches and mutates pods with `emptyDir` volume, to add the `safe-to-evict` annotation if it is not specified. ````yaml apiVersion: kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : policy-set-port -spec : - rules: - - name: "Set port" - match: - resources: - kinds : - - Endpoints - mutate: +kind: ClusterPolicy +metadata: + name: add-safe-to-evict + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + rules: + - name: "annotate-empty-dir" + match: + resources: + kinds: + - Pod + mutate: overlay: - subsets: - - (ports): - +(port): 6443 + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): true + spec: + volumes: + - (emptyDir): {} ```` #### Anchor processing flow