Skip to content

[Sample] Mount volumes for ephemeral containers #1088

New issue
New issue
Open
#1225
Open
[Sample] Mount volumes for ephemeral containers#1088
#1225
Assignees
Darkhood148
Labels
good first issueGood for newcomerssampleSample policy
@realshuting

Description

@realshuting
realshuting
opened on Jul 29, 2024

Problem Statement

Add the sample policy to mount volumes and set default security context for ephemeral containers. To break down the following policy:

  1. the first rule adds the volume to pods with the label ephemeral-debug: true
  2. the second rule adds the default security context to ephemeral containers
  3. the third rule mounts the volume added by the first rule to ephemeral containers
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mount-volumes-for-ephemeral-containers
spec:
  background: false
  rules:
  - name: add-volume-to-debug-pod
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
          selector:
            matchLabels:
              ephemeral-debug: "true"
          operations:
          - CREATE
    mutate:
      patchStrategicMerge:
        spec:
          volumes:
          - name: ephemeralcontainer-tmp-tcpdump-volume
            emptyDir:
              sizeLimit: 1G
  - name: mutate-ephemeralcontainers-readonlyrootfilesystem
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
    preconditions:
       all:
       - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
         operator: GreaterThanOrEquals
         value: 1
    mutate:
      foreach:
        - list: "request.object.spec.ephemeralContainers[]"
          patchStrategicMerge:
            spec:
              ephemeralContainers:
              - name: "{{ element.name }}"
                +(securityContext):
                  +(readOnlyRootFilesystem): true
  - name: add-volumemount
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
    preconditions:
       all:
       - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
         operator: GreaterThanOrEquals
         value: 1
       - key: "{{ request.object.spec.ephemeralContainers[].volumeMounts[?name=='ephemeralcontainer-tmp-tcpdump-volume'] | `[]` | length(@) }}"
         operator: LessThan
         value: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
    mutate:
      foreach:
        - list: "request.object.spec.ephemeralContainers"
          patchStrategicMerge:
            spec:
              ephemeralContainers:
              - name: "{{ element.name }}"
                volumeMounts:
                - mountPath: /tmp
                  name: ephemeralcontainer-tmp-tcpdump-volume

It would be good to add Chainsaw tests for this policy, the test scenarios:

  1. create the policy
  2. create a pod with the label ephemeral-debug: true
  3. verify the volume is added to the pod
  4. create the ephemeral container, for example kubectl debug -it nginx-64ff7dcdf4-5jbmb --image=network-multitool:v1 --target nginx -- bash
  5. verify the security context and volumeMounts are added to ephemeral containers

Solution Description

See above.

Example "Good" Resource

No response

Example "Bad" Resource

No response

Other Comments

No response

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1721654971501889

Troubleshooting

Metadata

Metadata

Assignees

Labels

good first issueGood for newcomerssampleSample policy

Type

No type

Projects

Good First Issues

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions