Add Volume to Deployment

Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp Vault, adds a volume and volumeMount to a Deployment if there is an annotation called "vault.k8s.corp.net/inject=enabled" present.

Policy Definition

/other/add_volume_deployment/add_volume_deployment.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-volume
 5  annotations:
 6    policies.kyverno.io/title: Add Volume to Deployment
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Deployment, Volume
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      Some Kubernetes applications like HashiCorp Vault must perform some modifications
12      to resources in order to invoke their specific functionality. Often times, that functionality
13      is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp
14      Vault, adds a volume and volumeMount to a Deployment if there is an annotation called
15      "vault.k8s.corp.net/inject=enabled" present.      
16spec:
17  rules:
18  - name: add-volume
19    match:
20      any:
21      - resources:
22          kinds:
23          - Deployment
24    preconditions:
25      any:
26      - key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}"
27        operator: Equals
28        value: "enabled"
29    mutate:
30      patchesJson6902: |-
31        - op: add
32          path: /spec/template/spec/volumes
33          value: [{"name": "vault-secret","emptyDir": {"medium": "Memory"}}]
34        - op: add
35          path: /spec/template/spec/containers/0/volumeMounts
36          value: [{"mountPath": "/secret","name": "vault-secret"}]

Create policy issue