From dce89d417fb9eab81606f229a9632d7f08560d79 Mon Sep 17 00:00:00 2001
From: Vassiliy Yegorov <va@egorovanet.ru>
Date: Mon, 13 Apr 2026 12:37:09 +0700
Subject: [PATCH] init

---
 03-mutation/01-basics/README.md            | 13 +++++
 03-mutation/01-basics/init-containers.yaml | 33 +++++++++++++
 03-mutation/01-basics/normalize.yaml       | 32 +++++++++++++
 03-mutation/01-basics/pre-conditions.yaml  | 56 ++++++++++++++++++++++
 4 files changed, 134 insertions(+)
 create mode 100644 03-mutation/01-basics/init-containers.yaml
 create mode 100644 03-mutation/01-basics/normalize.yaml
 create mode 100644 03-mutation/01-basics/pre-conditions.yaml

diff --git a/03-mutation/01-basics/README.md b/03-mutation/01-basics/README.md
index 7fac4cf..b58b8a7 100644
--- a/03-mutation/01-basics/README.md
+++ b/03-mutation/01-basics/README.md
@@ -80,3 +80,16 @@ mutate:
 kubectl get mutatingwebhookconfigurations -o yaml | \
   grep "name:" | grep kyverno
 ```
+
+## Дебаг мутаций
+
+```bash
+# Посмотреть мутированный под
+kubectl get pod my-pod -o yaml | grep -A 20 "labels:"
+
+# Проверить через dry-run
+kubectl apply -f pod.yaml --dry-run=server -o yaml | grep -A 5 "labels:"
+
+# Kyverno CLI для локального тестирования
+kyverno apply add-standard-labels.yaml --resource pod.yaml
+```
\ No newline at end of file
diff --git a/03-mutation/01-basics/init-containers.yaml b/03-mutation/01-basics/init-containers.yaml
new file mode 100644
index 0000000..4a07922
--- /dev/null
+++ b/03-mutation/01-basics/init-containers.yaml
@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-wait-for-db
+  annotations:
+    policies.kyverno.io/title: "Добавление init-контейнера для ожидания PostgreSQL"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
+    policies.kyverno.io/description: >-
+      1. По условию добавляет init-контейнер для ожидания PostgreSQL
+spec:
+  rules:
+    - name: add-wait-for-db
+      match:
+        resources:
+          kinds:
+          - Pod
+      preconditions:
+        any:
+        - key: "{{ request.object.metadata.annotations.\"init.company.com/wait-for-db\" }}"
+          operator: Equals
+          value: "true"
+      mutate:
+        patchStrategicMerge:
+          spec:
+            initContainers:
+            - name: wait-for-db
+              image: registry.company.com/busybox:1.36
+              command:
+              - sh
+              - -c
+              - until nc -z postgres-service 5432; do echo "Ожидаем PostgreSQL..."; sleep 2; done       
\ No newline at end of file
diff --git a/03-mutation/01-basics/normalize.yaml b/03-mutation/01-basics/normalize.yaml
new file mode 100644
index 0000000..bb2e9ce
--- /dev/null
+++ b/03-mutation/01-basics/normalize.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: normalize-image-tag
+  annotations:
+    policies.kyverno.io/title: "Нормализация тега образа"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
+    policies.kyverno.io/description: >-
+      1. По условию заменяет тег образа на ":stable"
+spec:
+  rules:
+    - name: normalize-image-tag
+      match:
+        resources:
+          kinds:
+          - Pod
+      mutate:
+        foreach:
+        - list: "request.object.spec.containers"
+          preconditions:
+            any:
+            - key: "{{ element.image }}"
+              operator: EndsWith
+              value: ":latest"
+          patchStrategicMerge:
+            spec:
+              containers:
+              - name: "{{ element.name }}"
+                image: >-
+                  {{ replace_all('{{ element.image }}', ':latest', ':stable') }}       
\ No newline at end of file
diff --git a/03-mutation/01-basics/pre-conditions.yaml b/03-mutation/01-basics/pre-conditions.yaml
new file mode 100644
index 0000000..eaa1693
--- /dev/null
+++ b/03-mutation/01-basics/pre-conditions.yaml
@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-production-annotations
+  annotations:
+    policies.kyverno.io/title: "Добавление лейблов по условию"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
+    policies.kyverno.io/description: >-
+      1. По условию добавляет стандартные лейблы к workload ресурсам
+      2. По названию образа добавляет дополнительные переменные
+spec:
+  rules:
+  - name: add-production-annotations
+    match:
+      resources:
+        kinds:
+        - Deployment
+    preconditions:
+      any:
+      - key: "{{ request.object.metadata.namespace }}"
+        operator: In
+        value:
+        - production
+        - prod
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            monitoring.company.com/enabled: "true"
+            alerting.company.com/oncall: "team-platform"
+  # Более сложный пример с зависимостью по образу
+  - name: add-java-opts
+    match:
+      resources:
+        kinds:
+        - Pod
+    mutate:
+      foreach:
+      - list: "request.object.spec.containers"
+        preconditions:
+          any:
+          - key: "{{ element.image }}"
+            operator: Contains
+            value: "openjdk"
+          - key: "{{ element.image }}"
+            operator: Contains
+            value: "eclipse-temurin"
+        patchStrategicMerge:
+          spec:
+            containers:
+            - name: "{{ element.name }}"
+              env:
+              - name: JAVA_OPTS
+                value: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0"            
\ No newline at end of file