All Policies
Inject Sidecar Container
The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`.
Policy Definition
/other/inject_sidecar_deployment/inject_sidecar_deployment.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: inject-sidecar
5 annotations:
6 policies.kyverno.io/title: Inject Sidecar Container
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/subject: Pod,Volume
9 policies.kyverno.io/description: >-
10 The sidecar pattern is very common in Kubernetes whereby other applications can
11 insert components via tacit modification of a submitted resource. This is, for example,
12 often how service meshes and secrets applications are able to function transparently.
13 This policy injects a sidecar container, initContainer, and volume into Pods that match
14 an annotation called `vault.hashicorp.com/agent-inject: true`.
15spec:
16 rules:
17 - name: inject-sidecar
18 match:
19 resources:
20 kinds:
21 - Deployment
22 mutate:
23 patchStrategicMerge:
24 spec:
25 template:
26 metadata:
27 annotations:
28 (vault.hashicorp.com/agent-inject): "true"
29 spec:
30 containers:
31 - name: vault-agent
32 image: vault:1.5.4
33 imagePullPolicy: IfNotPresent
34 volumeMounts:
35 - mountPath: /vault/secrets
36 name: vault-secret
37 initContainers:
38 - name: vault-agent-init
39 image: vault:1.5.4
40 imagePullPolicy: IfNotPresent
41 volumeMounts:
42 - mountPath: /vault/secrets
43 name: vault-secret
44 volumes:
45 - name: vault-secret
46 emptyDir:
47 medium: Memory