All Policies

Add Certificates as a Volume

In some cases you would need to trust custom CA certificates for all the containers of a Pod. It makes sense to be in a ConfigMap so that you can automount them by only setting an annotation. This policy adds a volume to all containers in a Pod containing the certificate if the annotation called `inject-certs` with value `enabled` is found.

Policy Definition

/other-mpol/add-certificates-volume/add-certificates-volume.yaml

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: MutatingPolicy
 3metadata:
 4  name: add-certificates-volume
 5  annotations:
 6    policies.kyverno.io/title: Add Certificates as a Volume
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Pod,Volume
 9    kyverno.io/kyverno-version: 1.6.0
10    kyverno.io/kubernetes-version: "1.21"
11    policies.kyverno.io/minversion: 1.5.0
12    policies.kyverno.io/description: >-
13      In some cases you would need to trust custom CA certificates for all the containers of a Pod.
14      It makes sense to be in a ConfigMap so that you can automount them by only setting an annotation.
15      This policy adds a volume to all containers in a Pod containing the certificate if the annotation
16      called `inject-certs` with value `enabled` is found.
17spec:
18  autogen:
19    podControllers:
20      controllers:
21      - daemonsets
22      - deployments
23      - jobs
24      - statefulsets
25  evaluation:
26    admission:
27      enabled: true
28  matchConstraints:
29    resourceRules:
30    - apiGroups: [""]
31      apiVersions: ["v1"]
32      operations: ["CREATE", "UPDATE"]
33      resources: ["pods"]
34  matchConditions:
35  - name: check-inject-certs-annotation
36    expression: 'has(object.metadata.annotations) && "inject-certs" in object.metadata.annotations && object.metadata.annotations["inject-certs"] == "enabled"'
37  mutations:
38  - patchType: ApplyConfiguration
39    applyConfiguration:
40      expression: |
41        Object{
42          spec: Object.spec{
43            containers: object.spec.containers.map(container, Object.spec.containers{
44              name: container.name,
45              volumeMounts: (has(container.volumeMounts) && container.volumeMounts.exists(vm, vm.name == "etc-ssl-certs")) 
46                ? container.volumeMounts 
47                : ((has(container.volumeMounts) ? container.volumeMounts : []) + [
48                    Object.spec.containers.volumeMounts{
49                      name: "etc-ssl-certs",
50                      mountPath: "/etc/ssl/certs"
51                    }
52                  ])
53            }),
54            volumes: (has(object.spec.volumes) && object.spec.volumes.exists(v, v.name == "etc-ssl-certs"))
55              ? object.spec.volumes
56              : ((has(object.spec.volumes) ? object.spec.volumes : []) + [
57                  Object.spec.volumes{
58                    name: "etc-ssl-certs",
59                    configMap: Object.spec.volumes.configMap{
60                      name: "ca-pemstore"
61                    }
62                  }
63                ])
64          }
65        }