--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: airm-workload-tracking-policy spec: background: false rules: - match: resources: kinds: - Job - Deployment - StatefulSet - DaemonSet - CronJob - KaiwoJob - KaiwoService - Pod namespaceSelector: matchExpressions: - key: airm.silogen.ai/project-id operator: Exists mutate: patchStrategicMerge: metadata: annotations: airm.silogen.ai/auto-discovered: "true" airm.silogen.ai/discovered-component-type: '{{request.object.kind }}' airm.silogen.ai/submitter: '{{request.userInfo.username }}' name: add-discovery-annotations-for-supported-types preconditions: all: - key: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || '''' }}' operator: Equals value: "" - key: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || '''' }}' operator: Equals value: "" - key: '{{request.object.metadata.annotations."airm.silogen.ai/auto-discovered" || '''' }}' operator: Equals value: "" - match: resources: kinds: - Job - Deployment - StatefulSet - DaemonSet - CronJob - KaiwoJob - KaiwoService - Pod namespaceSelector: matchExpressions: - key: airm.silogen.ai/project-id operator: Exists mutate: patchStrategicMerge: metadata: annotations: airm.silogen.ai/auto-discovered: "false" name: remove-auto-discovered-annotations-inherited-from-parent preconditions: all: - key: '{{request.object.metadata.annotations."airm.silogen.ai/auto-discovered" || '''' }}' operator: Equals value: "true" - key: '{{request.object.metadata.annotations."airm.silogen.ai/discovered-component-type" || '''' }}' operator: NotEquals value: '{{request.object.kind }}' - context: - apiCall: jmesPath: metadata.labels urlPath: /api/v1/namespaces/{{request.namespace }} name: ns_labels match: resources: kinds: - Job - Deployment - StatefulSet - DaemonSet - CronJob - KaiwoJob - KaiwoService - Pod namespaceSelector: matchExpressions: - key: airm.silogen.ai/project-id operator: Exists mutate: patchStrategicMerge: metadata: labels: airm.silogen.ai/project-id: '{{ns_labels."airm.silogen.ai/project-id" }}' name: set-project-id-from-namespace-label preconditions: all: - key: '{{request.object.metadata.labels."airm.silogen.ai/project-id" || '''' }}' operator: NotEquals value: '{{ns_labels."airm.silogen.ai/project-id" }}' - match: resources: kinds: - Pod - KaiwoJob - KaiwoService namespaceSelector: matchExpressions: - key: airm.silogen.ai/project-id operator: Exists mutate: patchStrategicMerge: metadata: labels: airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}' airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}' name: add-workload-and-component-id-default - match: resources: kinds: - Job - Deployment - StatefulSet - DaemonSet namespaceSelector: matchExpressions: - key: airm.silogen.ai/project-id operator: Exists mutate: patchStrategicMerge: metadata: labels: airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}' airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}' spec: template: metadata: labels: airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}' airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}' name: add-workload-and-component-id-to-objects-with-template - match: resources: kinds: - CronJob namespaceSelector: matchExpressions: - key: airm.silogen.ai/project-id operator: Exists mutate: patchStrategicMerge: metadata: labels: airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}' airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}' spec: jobTemplate: metadata: labels: airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}' airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}' spec: template: metadata: labels: airm.silogen.ai/component-id: '{{request.object.metadata.labels."airm.silogen.ai/component-id" || request.oldObject.metadata.labels."airm.silogen.ai/component-id" || request.uid }}' airm.silogen.ai/workload-id: '{{request.object.metadata.labels."airm.silogen.ai/workload-id" || request.oldObject.metadata.labels."airm.silogen.ai/workload-id" || request.uid }}' name: add-workload-and-component-id-cronjobs