-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature - Change annotation for auto-generate pod controllers policy #849
Conversation
* 'master' of github.com:nirmata/kyverno: (102 commits) fix 843 (#844) chart readme fixes Fix Helm chart README.md for Helm 3 Add Helm chart for Kyverno - #835 Documentation update 664 tested prototype 823 tested prototype Fixes #817 - slack channel URL 797 typo fix Fixes #797 - update example for mutate patch policy remove cpu limit in BP require_pod_requests_limits.yaml (#807) 808 test fixes 808_prototype 753 reverting autogen rule changes 786 fixed tests 786 tested prototype 775 circle ci fixes 753 fixing tests 775 working prototype 753_avoiding_duplicate_vals ...
pkg/webhooks/policymutation.go
Outdated
controllers = "all" | ||
if controllers == "all" { | ||
controllers = "DaemonSet,Deployment,Job,StatefulSet" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if controllers != "all"? It will pass in "" to generateRulePatches()
in line 165.
pkg/webhooks/policymutation.go
Outdated
return kyvernoRule{} | ||
} | ||
controllers = engine.PodControllers | ||
if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please read the design doc to understand the logic: https://github.com/nirmata/kyverno/wiki/Auto-generating-rule-for-pod-controllers
Problem
This relates to #637 .
If a rule is defined for the pod, Kyverno will automatically generate the rule for pod controllers
DaemonSet, Deployment,Job and StatefulSet
by inserting an annotationpod-policies.kyverno.io/autogen-controllers=all
to the policy.While
DaemonSet, Deployment,Job and StatefulSet
does not cover all the pod controllers, i.e. Replicaset, Replicationcontroller, cronJob.It would be clear if we change the default annotation to
pod-policies.kyverno.io/autogen-controllers=DaemonSet,Deployment,Job,StatefulSet
.Solution
Other changes