add policy doc

2024-12-14 11:57:48 +00:00 · 2019-11-05 16:45:37 -08:00 · 2019-11-05 16:45:37 -08:00 · cd3e0f46f3
commit cd3e0f46f3
parent 9f7b6eaaf6
3 changed files with 58 additions and 6 deletions
--- a/samples/MutateSafeToEvict.md
+++ b/samples/MutateSafeToEvict.md
@ -0,0 +1,51 @@
+# Mutate pods with `emptyDir` and `hostPath` with `safe-to-evict`
+
+The Kubernetes cluster autoscaler does not evict pods that use `hostPath` or `emptyDir` volumes. To allow eviction of these pods, the following annotation must be added to the pods:
+
+````yaml
+cluster-autoscaler.kubernetes.io/safe-to-evict: true
+````
+
+This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to add the `safe-to-evict` annotation if it is not specified.
+
+## Policy YAML
+
+[add_safe_to_evict_annotation.yaml](best_practices/add_safe-to-evict_annotation.yaml)
+
+````yaml
+apiVersion: "kyverno.io/v1alpha1"
+kind: "ClusterPolicy"
+metadata: 
+  name: "annotate-emptydir-hostpath"
+spec: 
+  rules: 
+  - name: "empty-dir-add-safe-to-evict"
+    match: 
+      resources: 
+        kinds: 
+        - "Pod"
+    mutate: 
+      overlay:
+        metadata:
+          annotations:
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
+        spec:          
+          volumes: 
+          - (emptyDir): {}
+  - name: "host-path-add-safe-to-evict"
+    match: 
+      resources: 
+        kinds: 
+        - "Pod"
+    mutate: 
+      overlay:
+        metadata:
+          annotations:
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
+        spec:          
+          volumes: 
+          - (hostPath):
+              path: "*"
+
+````
+
--- a/samples/README.md
+++ b/samples/README.md
@ -52,15 +52,16 @@ These policies are highly recommended.
 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
 16. [Disallow Helm Tiller](DisallowHelmTiller.md)
+17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md)

 ## Additional Policies

 The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 

-16. [Limit use of `NodePort` services](LimitNodePort.md)
-17. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
-18. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
-19. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
+18. [Limit use of `NodePort` services](LimitNodePort.md)
+19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
+20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
+21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)



--- a/samples/best_practices/add_safe-to-evict_annotation.yaml
+++ b/samples/best_practices/add_safe-to-evict_annotation.yaml
@ -5,8 +5,8 @@ metadata:
  annotations:
    policies.kyverno.io/category: AutoScaling
    policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that 
-      use hostPath or emptyDir volumes. To allow eviction the annotation 
-      cluster-autoscaler.kubernetes.io/safe-to-evict=true is added to the pod. 
+      use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation 
+      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. 
 spec: 
  rules: 
  - name: "empty-dir-add-safe-to-evict"