infra

Viktor Barzin bc714755ea kyverno: add mutateExistingOnPolicyUpdate=true so existing workloads get annotated Before this, the inject-keel-annotations policy only fired on admission events. Workloads that existed BEFORE their namespace got labeled keel.sh/enrolled=true never received the annotation, so Keel didn't watch them. Live state was 30 of 226 workloads auto-updating. With mutateExistingOnPolicyUpdate=true and the required mutate.targets block, Kyverno's BackgroundScan controller applies the mutate to existing matching Deployments/StatefulSets/DaemonSets on policy update. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-16 23:27:27 +00:00
..
kyverno	kyverno: add mutateExistingOnPolicyUpdate=true so existing workloads get annotated	2026-05-16 23:27:27 +00:00

Viktor Barzin bc714755ea kyverno: add mutateExistingOnPolicyUpdate=true so existing workloads get annotated

Before this, the inject-keel-annotations policy only fired on admission
events. Workloads that existed BEFORE their namespace got labeled
keel.sh/enrolled=true never received the annotation, so Keel didn't
watch them. Live state was 30 of 226 workloads auto-updating.

With mutateExistingOnPolicyUpdate=true and the required mutate.targets
block, Kyverno's BackgroundScan controller applies the mutate to
existing matching Deployments/StatefulSets/DaemonSets on policy update.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-16 23:27:27 +00:00

kyverno

kyverno: add mutateExistingOnPolicyUpdate=true so existing workloads get annotated

2026-05-16 23:27:27 +00:00