Add Volume to Deployment

Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp Vault, adds a volume and volumeMount to a Deployment if there is an annotation called "vault.k8s.corp.net/inject=enabled" present.

Policy Definition

/other/add_volume_deployment/add_volume_deployment.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-volume
 5  annotations:
 6    policies.kyverno.io/title: Add Volume to Deployment
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Deployment, Volume
 9    policies.kyverno.io/description: >-
10      Some Kubernetes applications like HashiCorp Vault must perform some modifications
11      to resources in order to invoke their specific functionality. Often times, that functionality
12      is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp
13      Vault, adds a volume and volumeMount to a Deployment if there is an annotation called
14      "vault.k8s.corp.net/inject=enabled" present.      
15spec:
16  rules:
17  - name: add-volume
18    match:
19      resources:
20        kinds:
21        - Deployment
22    preconditions:
23      any:
24      - key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}"
25        operator: Equals
26        value: "enabled"
27    mutate:
28      patchesJson6902: |-
29        - op: add
30          path: /spec/template/spec/volumes
31          value: [{"name": "vault-secret","emptyDir": {"medium": "Memory"}}]
32        - op: add
33          path: /spec/template/spec/containers/0/volumeMounts
34          value: [{"mountPath": "/secret","name": "vault-secret"}]

Create policy issue