Mutation Custom Resources

The reinvocationPolicy: IfNeeded is used in MutatingWebhookConfiguration. More details in the Kubernetes documentation.

Reference

Provide a configurable set of policies for modifying Kubernetes resources at the time they are deployed.

AssignMetadata

Reference

Allows you to modify the Metadata section of a resource. At the moment, Gatekeeper only allows adding labels and annotations objects. Modification of existing objects is not provided.

Using * in spec.match.kinds is not allowed. If * is specified, the mutation will not be applied. Instead, you must explicitly list the target resources (kinds) along with their corresponding apiGroups.

Example 1. Adding the owner label with the value admin to all namespaces:

apiVersion: mutations.gatekeeper.sh/v1
kind: AssignMetadata
metadata:
  name: demo-annotation-owner
spec:
  match:
    scope: Namespaced
  location: "metadata.labels.owner"
  parameters:
    assign:
      value: "admin"

Example 2. Adding a label in a specific namespace and only to selected resources:

apiVersion: mutations.gatekeeper.sh/v1
kind: AssignMetadata
metadata:
  name: set-labels-<your_namespace>
spec:
  match:
    scope: Namespaced
    namespaces: ["<your_namespace>"]
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"] # The use of "*" is not allowed.
  location: "metadata.labels.<your_label_name>"
  parameters:
    assign:
      value: <your_label_value>

Assign

Allows you to modify fields outside the Metadata section.

An example of setting imagePullPolicy for all containers to Always in all namespaces except the system namespace:

apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
  name: demo-image-pull-policy
spec:
  applyTo:
  - groups: [""]
    kinds: ["Pod"]
    versions: ["v1"]
  match:
    scope: Namespaced
    kinds:
    - apiGroups: ["*"]
      kinds: ["Pod"]
    excludedNamespaces: ["system"]
  location: "spec.containers[name:*].imagePullPolicy"
  parameters:
    assign:
      value: Always

ModifySet

Reference

Allows you to add and remove items from a list, such as arguments for running a container. New values are added to the end of the list.

An example of removing the --alsologtostderr argument from all containers in a pod:

apiVersion: mutations.gatekeeper.sh/v1
kind: ModifySet
metadata:
  name: remove-err-logging
spec:
  applyTo:
  - groups: [""]
    kinds: ["Pod"]
    versions: ["v1"]
  location: "spec.containers[name: *].args"
  parameters:
    operation: prune
    values:
      fromList:
        - --alsologtostderr

AssignImage

Reference

Allows you to make changes to the image parameter of a resource.

An example of changing the image parameter to the value my.registry.io/repo/app@sha256:abcde67890123456789abc345678901a:

apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: AssignImage
metadata:
  name: assign-container-image
spec:
  applyTo:
  - groups: [ "" ]
    kinds: [ "Pod" ]
    versions: [ "v1" ]
  location: "spec.containers[name:*].image"
  parameters:
    assignDomain: "my.registry.io"
    assignPath: "repo/app"
    assignTag: "@sha256:abcde67890123456789abc345678901a"
  match:
    source: "All"
    scope: Namespaced
    kinds:
    - apiGroups: [ "*" ]
      kinds: [ "Pod" ]