init

03-mutation/01-basics/README.md

@@ -80,3 +80,16 @@ mutate:
 kubectl get mutatingwebhookconfigurations -o yaml | \
   grep "name:" | grep kyverno
 ```
+
+## Дебаг мутаций
+
+```bash
+# Посмотреть мутированный под
+kubectl get pod my-pod -o yaml | grep -A 20 "labels:"
+
+# Проверить через dry-run
+kubectl apply -f pod.yaml --dry-run=server -o yaml | grep -A 5 "labels:"
+
+# Kyverno CLI для локального тестирования
+kyverno apply add-standard-labels.yaml --resource pod.yaml
+```

03-mutation/01-basics/init-containers.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-wait-for-db
+  annotations:
+    policies.kyverno.io/title: "Добавление init-контейнера для ожидания PostgreSQL"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
+    policies.kyverno.io/description: >-
+      1. По условию добавляет init-контейнер для ожидания PostgreSQL
+spec:
+  rules:
+    - name: add-wait-for-db
+      match:
+        resources:
+          kinds:
+          - Pod
+      preconditions:
+        any:
+        - key: "{{ request.object.metadata.annotations.\"init.company.com/wait-for-db\" }}"
+          operator: Equals
+          value: "true"
+      mutate:
+        patchStrategicMerge:
+          spec:
+            initContainers:
+            - name: wait-for-db
+              image: registry.company.com/busybox:1.36
+              command:
+              - sh
+              - -c
+              - until nc -z postgres-service 5432; do echo "Ожидаем PostgreSQL..."; sleep 2; done       

03-mutation/01-basics/normalize.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: normalize-image-tag
+  annotations:
+    policies.kyverno.io/title: "Нормализация тега образа"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
+    policies.kyverno.io/description: >-
+      1. По условию заменяет тег образа на ":stable"
+spec:
+  rules:
+    - name: normalize-image-tag
+      match:
+        resources:
+          kinds:
+          - Pod
+      mutate:
+        foreach:
+        - list: "request.object.spec.containers"
+          preconditions:
+            any:
+            - key: "{{ element.image }}"
+              operator: EndsWith
+              value: ":latest"
+          patchStrategicMerge:
+            spec:
+              containers:
+              - name: "{{ element.name }}"
+                image: >-
+                  {{ replace_all('{{ element.image }}', ':latest', ':stable') }}       

03-mutation/01-basics/pre-conditions.yaml

@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-production-annotations
+  annotations:
+    policies.kyverno.io/title: "Добавление лейблов по условию"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
+    policies.kyverno.io/description: >-
+      1. По условию добавляет стандартные лейблы к workload ресурсам
+      2. По названию образа добавляет дополнительные переменные
+spec:
+  rules:
+  - name: add-production-annotations
+    match:
+      resources:
+        kinds:
+        - Deployment
+    preconditions:
+      any:
+      - key: "{{ request.object.metadata.namespace }}"
+        operator: In
+        value:
+        - production
+        - prod
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            monitoring.company.com/enabled: "true"
+            alerting.company.com/oncall: "team-platform"
+  # Более сложный пример с зависимостью по образу
+  - name: add-java-opts
+    match:
+      resources:
+        kinds:
+        - Pod
+    mutate:
+      foreach:
+      - list: "request.object.spec.containers"
+        preconditions:
+          any:
+          - key: "{{ element.image }}"
+            operator: Contains
+            value: "openjdk"
+          - key: "{{ element.image }}"
+            operator: Contains
+            value: "eclipse-temurin"
+        patchStrategicMerge:
+          spec:
+            containers:
+            - name: "{{ element.name }}"
+              env:
+              - name: JAVA_OPTS
+                value: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0"