Skip to content

feat: add label-based exclusion to inject-coco-initdata policy#92

Open
butler54 wants to merge 1 commit into
validatedpatterns:mainfrom
butler54:feat/kyverno-skip-initdata-label
Open

feat: add label-based exclusion to inject-coco-initdata policy#92
butler54 wants to merge 1 commit into
validatedpatterns:mainfrom
butler54:feat/kyverno-skip-initdata-label

Conversation

@butler54
Copy link
Copy Markdown
Collaborator

@butler54 butler54 commented May 29, 2026

Problem

Kyverno's inject-coco-initdata policy currently has no exclusion mechanism. All kata pods must have the coco.io/initdata-configmap annotation, or the policy fails when trying to read the (non-existent) ConfigMap.

This blocks special-purpose kata pods that don't need init_data injection, such as:

  • Firmware reference value collection pods (veritas-based measurement collection)
  • Debug/troubleshooting pods
  • One-off administrative tasks

Solution

Add an exclude block to the policy that skips pods with label coco.io/skip-initdata: "true".

exclude:
  any:
    - resources:
        selector:
          matchLabels:
            coco.io/skip-initdata: "true"

Changes

  • charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml: Add exclude block after match block

Usage

Special-purpose kata pods can bypass init_data injection by adding the label:

apiVersion: v1
kind: Pod
metadata:
  name: firmware-collector
  labels:
    coco.io/skip-initdata: "true"
spec:
  runtimeClassName: kata-cc
  # ... rest of spec

Benefits

  • Self-documenting: Policy itself shows what gets excluded
  • Type-safe: Uses label selectors instead of annotation value checks
  • Explicit intent: Clear that bypass is intentional
  • Reusable: Any pod can use this label

Related

Testing

Deploy the updated policy, then launch a kata pod with coco.io/skip-initdata: "true" label:

  • Verify policy does not attempt to inject init_data
  • Verify pod launches successfully
  • Verify normal kata pods (without the label) still get init_data injection

🤖 Generated with Claude Code

@butler54 @claude
feat: add label-based exclusion to inject-coco-initdata policy
02dd37f 
Add exclude block to inject-coco-initdata Kyverno policy to skip
pods with label coco.io/skip-initdata: "true".

This allows special-purpose kata pods (like firmware collection pods)
to bypass init_data injection when they don't need attestation to KBS.

Use case: The firmware collection workflow (PR validatedpatterns#89) needs to launch
a kata pod to collect TEE measurements using veritas, but doesn't
require init_data injection since it only accesses the TEE device
directly and doesn't request secrets from KBS.

Without this exclusion, the policy tries to inject init_data but
fails because the pod doesn't have the coco.io/initdata-configmap
annotation, blocking pod creation.

Usage: Add label coco.io/skip-initdata: "true" to any kata pod that
should bypass init_data injection.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@butler54 butler54 requested a review from a team May 29, 2026 02:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@butler54