Mutate Pod Binding

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: mutate-pod-binding
 5  annotations:
 6    pod-policies.kyverno.io/autogen-controllers: none
 7    policies.kyverno.io/title: Mutate Pod Binding
 8    policies.kyverno.io/category: Other
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.10.0
11    policies.kyverno.io/minversion: 1.10.0
12    kyverno.io/kubernetes-version: "1.26"
13    policies.kyverno.io/description: >-
14      Containers running in Pods may sometimes need access to node-specific information
15      on which the Pod has been scheduled. Scheduling decisions are made by kube-scheduler after
16      the Pod has been persisted and so only at that time may the Node to which the Pod is bound
17      can be fetched. The Kubernetes API allows specifically the projection of annotations from these
18      Binding resources to the Pods which are their subject. This policy watches for then mutates
19      the /binding subresource of a Pod to add an annotation named `foo` the value of which comes
20      from the bound Node's label also called `foo`. Use of this policy may require removal of the
21      Binding resourceFilter in Kyverno's ConfigMap.      
22spec:
23  background: false
24  rules:
25    - name: project-foo
26      match:
27        any:
28        - resources:
29            kinds:
30            - Pod/binding
31      context:
32      - name: node
33        variable:
34          jmesPath: request.object.target.name
35          default: ''
36      - name: foolabel
37        apiCall:
38          urlPath: "/api/v1/nodes/{{node}}"
39          jmesPath: metadata.labels.foo || 'empty'
40      mutate:
41        patchStrategicMerge:
42          metadata:
43            annotations:
44              foo: "{{ foolabel }}"