From 864da56e4df1150b3e9794221b9c6425f2365d32 Mon Sep 17 00:00:00 2001 From: Ammar Yasser Date: Mon, 16 Sep 2024 11:03:00 +0300 Subject: [PATCH] docs: Mention that DELETE should be specified if mutation on deletion is required (#1348) Signed-off-by: aerosouund Co-authored-by: shuting --- content/en/docs/writing-policies/mutate.md | 59 ++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/content/en/docs/writing-policies/mutate.md b/content/en/docs/writing-policies/mutate.md index aef4f152b..43a2b1efa 100644 --- a/content/en/docs/writing-policies/mutate.md +++ b/content/en/docs/writing-policies/mutate.md @@ -543,6 +543,65 @@ The targets matched by a mutate existing rule are not subject to Kyverno's [reso Mutate existing rules are force reconciled every hour by default regardless of the `mutateExistingOnPolicyUpdate` value. The reconciliation interval can be customized through use of the environment variable `BACKGROUND_SCAN_INTERVAL` set on the background controller. +Starting from kyverno `v1.11.2`, mutate existing rules that trigger on deletion of a resource will be skipped unless explicitly specified that the `DELETE` operation should match + +For example,the following policy should add a label to a configmap when a deployment is created or updated +```yaml +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: mutate-configmap-on-undefined-deployment-operation +spec: + background: false + rules: + - name: mutate-configmap-on-undefined-deployment-operation + match: + all: + - resources: + kinds: + - Deployment + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + name: example + namespace: example + patchesJson6902: |- + - path: "/metadata/labels/modified-by-kyverno" + op: add + value: "true" +``` + +To have it also run the mutation when the deployment is deleted, the policy should be modified as such +```yaml +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: mutate-configmap-on-undefined-deployment-operation +spec: + background: false + rules: + - name: mutate-configmap-on-undefined-deployment-operation + match: + all: + - resources: + kinds: + - Deployment + operations: + # add other operations if needed + - DELETE + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + name: example + namespace: example + patchesJson6902: |- + - path: "/metadata/labels/modified-by-kyverno" + op: add + value: "true" +``` + ### Variables Referencing Target Resources To reference data in target resources, you can define the variable `target` followed by the path to the desired attribute. For example, using `target.metadata.labels.env` references the label `env` in the target resource.