Closed sanjaygopinath89 closed 3 years ago
Is there any chance the annotation could be changed to a label? Then you could use match criteria to conditionally assign:
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: example
spec:
applyTo:
- groups: [""]
versions: ["v1"]
kinds: ["Pod"]
match:
labelSelector:
matchLabels:
"should-mutate": "yes"
location: "spec.somewhere"
parameters:
assign:
value: "something"
If the switch can't be a label, this may be similar to https://github.com/open-policy-agent/gatekeeper/issues/1274#issuecomment-828883528 where we need to be careful about not providing ways for users to write mutations in such a way that they recurse infinitely and never converge.
Because annotations are metadata, maybe we could treat them specially, just like labels. However, because annotations are unstructured, it's not clear to me how we could reliably match against them.
@maxsmythe
Thanks @maxsmythe for giving the details.
closing this, feel free to re-open if there is any follow-up needed.
We are trying to add new env variable to a deployment based on annotation value . So we need to use "value test" to specify the "condition" to add the env using "Assign"
Any example on mutation with "value tests" condition ..? Environment:
kubectl version
):