CODEWITHSUNDEEP
kuberneteskubernetes-pod
nmiculinic
nmiculinic

Reputation: 2474

Disable kubernetes enableServiceLinks globally?

Is there a way to disable service links globally. There's a field in podSpec:

enableServiceLinks: false

but it's true by default. I couldn't find anything in kubelet to kill it. Or is there some cool admission webhook toolchain I could use

Upvotes: 4

Views: 1483

Answers (1)

matt_j
matt_j

Reputation: 4614

You can use the Kubernetes-native policy engine called Kyverno. Kyverno policies can validate, mutate (see: Mutate Resources), and generate Kubernetes resources.

A Kyverno policy is a collection of rules that can be applied to the entire cluster (ClusterPolicy) or to the specific namespace (Policy).

I will create an example to illustrate how it may work.

First we need to install Kyverno, you have the option of installing Kyverno directly from the latest release manifest, or using Helm (see: Quick Start guide):

$ kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml

After successful installation, we can create a simple ClusterPolicy:

$ cat strategic-merge-patch.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: strategic-merge-patch
spec:
  rules:
  - name: enableServiceLinks_false_globally
    match:
      resources:
        kinds:
        - Pod
    mutate:
      patchStrategicMerge:
        spec:
          enableServiceLinks: false

$ kubectl apply -f strategic-merge-patch.yaml
clusterpolicy.kyverno.io/strategic-merge-patch created

$ kubectl get clusterpolicy
NAME                    BACKGROUND   ACTION   READY
strategic-merge-patch   true         audit    true

This policy adds enableServiceLinks: false to the newly created Pod.

Let's create a Pod and check if it works as expected:

$ kubectl run app-1 --image=nginx
pod/app-1 created

$ kubectl get pod app-1 -oyaml | grep "enableServiceLinks:"
  enableServiceLinks: false

It also works with Deployments, StatefulSets, DaemonSets etc.:

$ kubectl create deployment deploy-1 --image=nginx
deployment.apps/deploy-1 created

$ kubectl get pod deploy-1-7cfc5d6879-kfdlh -oyaml | grep "enableServiceLinks:"
  enableServiceLinks: false

More examples with detailed explanations can be found in the Kyverno Writing Policies documentation.

Upvotes: 2

Related Questions