From cd3e0f46f3a5113eca5aaf05f38507f838a8dab6 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 5 Nov 2019 16:45:37 -0800 Subject: [PATCH] add policy doc --- samples/MutateSafeToEvict.md | 51 +++++++++++++++++++ samples/README.md | 9 ++-- .../add_safe-to-evict_annotation.yaml | 4 +- 3 files changed, 58 insertions(+), 6 deletions(-) create mode 100644 samples/MutateSafeToEvict.md diff --git a/samples/MutateSafeToEvict.md b/samples/MutateSafeToEvict.md new file mode 100644 index 0000000000..86717cf950 --- /dev/null +++ b/samples/MutateSafeToEvict.md @@ -0,0 +1,51 @@ +# Mutate pods with `emptyDir` and `hostPath` with `safe-to-evict` + +The Kubernetes cluster autoscaler does not evict pods that use `hostPath` or `emptyDir` volumes. To allow eviction of these pods, the following annotation must be added to the pods: + +````yaml +cluster-autoscaler.kubernetes.io/safe-to-evict: true +```` + +This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to add the `safe-to-evict` annotation if it is not specified. + +## Policy YAML + +[add_safe_to_evict_annotation.yaml](best_practices/add_safe-to-evict_annotation.yaml) + +````yaml +apiVersion: "kyverno.io/v1alpha1" +kind: "ClusterPolicy" +metadata: + name: "annotate-emptydir-hostpath" +spec: + rules: + - name: "empty-dir-add-safe-to-evict" + match: + resources: + kinds: + - "Pod" + mutate: + overlay: + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): true + spec: + volumes: + - (emptyDir): {} + - name: "host-path-add-safe-to-evict" + match: + resources: + kinds: + - "Pod" + mutate: + overlay: + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): true + spec: + volumes: + - (hostPath): + path: "*" + +```` + diff --git a/samples/README.md b/samples/README.md index 5f13e4bcf3..0f289c3f3e 100644 --- a/samples/README.md +++ b/samples/README.md @@ -52,15 +52,16 @@ These policies are highly recommended. 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) 16. [Disallow Helm Tiller](DisallowHelmTiller.md) +17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md) ## Additional Policies The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. -16. [Limit use of `NodePort` services](LimitNodePort.md) -17. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md) -18. [Configure Linux Capabilities](AssignLinuxCapabilities.md) -19. [Limit Kernel parameter access](ConfigureKernelParmeters.md) +18. [Limit use of `NodePort` services](LimitNodePort.md) +19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md) +20. [Configure Linux Capabilities](AssignLinuxCapabilities.md) +21. [Limit Kernel parameter access](ConfigureKernelParmeters.md) diff --git a/samples/best_practices/add_safe-to-evict_annotation.yaml b/samples/best_practices/add_safe-to-evict_annotation.yaml index dcd548b8d4..63fd5cc621 100644 --- a/samples/best_practices/add_safe-to-evict_annotation.yaml +++ b/samples/best_practices/add_safe-to-evict_annotation.yaml @@ -5,8 +5,8 @@ metadata: annotations: policies.kyverno.io/category: AutoScaling policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that - use hostPath or emptyDir volumes. To allow eviction the annotation - cluster-autoscaler.kubernetes.io/safe-to-evict=true is added to the pod. + use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation + cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. spec: rules: - name: "empty-dir-add-safe-to-evict"