docs: Mention that DELETE should be specified if mutation on deletion…

… is required Signed-off-by: aerosouund <[email protected]>
kyverno · Sep 13, 2024 · de671e1 · de671e1
1 parent 66cd1a0
commit de671e1
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/content/en/docs/writing-policies/mutate.md b/content/en/docs/writing-policies/mutate.md
@@ -40,6 +40,68 @@ spec:
                 imagePullPolicy: "IfNotPresent"
 ```
 
+Starting from kyverno `v1.11.2`, rules with mutations that trigger on deletion of a resource will be skipped unless explicitly specified that the `DELETE` operation should match
+
+For example, The following policy should add a label to a configmap when a deployment is created or updated
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: mutate-configmap-on-undefined-deployment-operation
+spec:
+  background: false
+  rules:
+    - name: mutate-configmap-on-undefined-deployment-operation
+      match:
+        all:
+          - resources:
+              kinds:
+                - Deployment
+
+      mutate:
+        targets:
+          - apiVersion: v1
+            kind: ConfigMap
+            name: example
+            namespace: example
+        patchesJson6902: |-
+          - path: "/metadata/labels/modified-by-kyverno"
+            op: add
+            value: "true"
+```
+
+To have it also run the mutation when the deployment is deleted, the policy should be modified as such
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: mutate-configmap-on-undefined-deployment-operation
+spec:
+  background: false
+  rules:
+    - name: mutate-configmap-on-undefined-deployment-operation
+      match:
+        all:
+          - resources:
+              kinds:
+                - Deployment
+              operations:
+              # add other operations if needed
+              - DELETE
+      mutate:
+        targets:
+          - apiVersion: v1
+            kind: ConfigMap
+            name: example
+            namespace: example
+        patchesJson6902: |-
+          - path: "/metadata/labels/modified-by-kyverno"
+            op: add
+            value: "true"
+```
+
 ## RFC 6902 JSONPatch
 
 A [JSON Patch](http://jsonpatch.com/), implemented as a mutation method called `patchesJson6902`, provides a precise way to mutate resources and supports the following operations (in the `op` field):