mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Allow use of "pods/binding" subresource (#2721)

Browse source 
For cases where a policy matches the "Bindings" kind in the "core/v1"
API group and version, adjust the pertinent Webhook configuration rule
to use the "pods/binding" subresource.

Doing so allows observing and reacting to the Kubernetes
scheduler (and its "extenders") assigning pods to nodes, before any
other system actors observe that assignment. This is an opportune
moment in between the pod' creation and a kubelet starting it running.

Signed-off-by: Steven E. Harris <seh@panix.com>
This commit is contained in:
Steven E. Harris 2021-11-16 16:26:22 -05:00 committed by GitHub
parent fa95132806
commit f90b982903
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/webhookconfig/configmanager.go
View file

@ -690,6 +690,8 @@ func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.Cluste
// note: webhook stores GVR in its rules while policy stores GVK in its rules definition
gv, k := common.GetKindFromGVK(gvk)
switch k {
case "Binding":
gvrList = append(gvrList, schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods/binding"})
case "NodeProxyOptions":
gvrList = append(gvrList, schema.GroupVersionResource{Group: "", Version: "v1", Resource: "nodes/proxy"})
case "PodAttachOptions":