[Sample] Add node labels to Pod

[chipzoller]

Problem Statement

We have a sample for how to assign annotations to Pods based on the /binding subresource but not labels. The Kubernetes API doesn't allow assigning labels to bindings and having those translate to the Pods, so a mutate existing rule has to be used.

Solution Description

apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: add-node-labels-pod
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
    policies.kyverno.io/title: Add scheduled Node's labels to a Pod
    policies.kyverno.io/category: Other
    policies.kyverno.io/subject: Pod
    kyverno.io/kyverno-version: 1.10.0
    policies.kyverno.io/minversion: 1.10.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/description: >-
      Containers running in Pods may sometimes need access to node-specific information on 
      which the Pod has been scheduled. A common use case is node topology labels to ensure 
      pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding
      policy already does this for annotations, but it does not handle labels. A useful use
      case is for passing metric label information to ServiceMonitors and then into Prometheus.
      This policy watches for Pod binding events when the pod is scheduled and then 
      asynchronously mutates the existing Pod to add the labels.
      This policy requires the following changes to common default configurations:
      - The kyverno resourceFilter should not filter pod/Binding resources.
      - The kyverno backgroundController service account requires Update permission on pods. 
      It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles 
spec:
  rules:
    - name: add-topology-labels
      match:
        any:
        - resources:
            kinds:
            - Pod/binding
      context:
      - name: node
        variable:
          jmesPath: request.object.target.name
          default: ''
      - name: ZoneLabel
        apiCall:
          urlPath: "/api/v1/nodes/{{node}}"
          jmesPath: "metadata.labels.\"topology.kubernetes.io/zone\" || 'empty'"
      mutate:
        targets:
        - apiVersion: v1
          kind: Pod
          name: "{{ request.object.metadata.name }}"
          namespace: "{{ request.object.metadata.namespace }}"
        patchStrategicMerge:
          metadata:
            labels: 
              # https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone
              topology.kubernetes.io/zone: "{{ ZoneLabel }}"

Example "Good" Resource

No response

Example "Bad" Resource

No response

Other Comments

No response

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1704971258092579?thread_ts=1704276295.075759&cid=CLGR9BJU9

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have verified the policy does not exist in the samples library.

[JimBugwadia]

Also see: https://realz.medium.com/add-topology-label-to-your-kubernetes-pods-8c6fb4c1f891

[Chandan-DK]

I'd like to work on this issue. Please assign it to me