From f90b982903d07fc094f5be1cdc19b26ec36da455 Mon Sep 17 00:00:00 2001 From: "Steven E. Harris" Date: Tue, 16 Nov 2021 16:26:22 -0500 Subject: [PATCH] Allow use of "pods/binding" subresource (#2721) For cases where a policy matches the "Bindings" kind in the "core/v1" API group and version, adjust the pertinent Webhook configuration rule to use the "pods/binding" subresource. Doing so allows observing and reacting to the Kubernetes scheduler (and its "extenders") assigning pods to nodes, before any other system actors observe that assignment. This is an opportune moment in between the pod' creation and a kubelet starting it running. Signed-off-by: Steven E. Harris --- pkg/webhookconfig/configmanager.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/webhookconfig/configmanager.go b/pkg/webhookconfig/configmanager.go index 12ac02252d..c8563b9414 100644 --- a/pkg/webhookconfig/configmanager.go +++ b/pkg/webhookconfig/configmanager.go @@ -690,6 +690,8 @@ func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.Cluste // note: webhook stores GVR in its rules while policy stores GVK in its rules definition gv, k := common.GetKindFromGVK(gvk) switch k { + case "Binding": + gvrList = append(gvrList, schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods/binding"}) case "NodeProxyOptions": gvrList = append(gvrList, schema.GroupVersionResource{Group: "", Version: "v1", Resource: "nodes/proxy"}) case "PodAttachOptions":