larkintuckerllc · September 17, 2025 10:59
diff --git a/nodepool-selector-affinites-exist-clusterpolicy.yaml b/nodepool-selector-affinites-exist-clusterpolicy.yaml
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: nodepool-selector-affinites-exist
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
 spec:
  rules:
  - name: nodepool-selector-affinites-exist
    match:
      any:
      - resources:
          annotations:
              example.com/nodepool: "*"
          kinds:
          - Pod
          namespaceSelector:
            matchLabels:
              example.com/match: "true"
          operations:
          - CREATE
    exclude:
        any:
        - resources:
            annotations:
              example.com/nodepool-selector-affinites: "true"
    preconditions:
      and:
      - key: "{{ request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms || '' }}"
        operator: NotEquals
        value: ""
      - key: example.com/nodepool
        operator: AnyNotIn
        value: "{{ request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[].matchExpressions[].key || [] }}"
    mutate:
      foreach:
      - list: "request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms"
        patchesJson6902: |-
          - op: add
            path: "/metadata/annotations/example.com~1nodepool-selector-affinites"
            value: "true"
          - path: "/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/{{elementIndex}}/matchExpressions/-"
            op: add
            value:
              key: example.com/nodepool
              operator: In
              values:
              - '{{ request.object.metadata.annotations."example.com/nodepool" }}'
	apiVersion: kyverno.io/v1
	kind: ClusterPolicy
	metadata:
	name: nodepool-selector-affinites-exist
	annotations:
	pod-policies.kyverno.io/autogen-controllers: none
	spec:
	rules:
	- name: nodepool-selector-affinites-exist
	match:
	any:
	- resources:
	annotations:
	example.com/nodepool: "*"
	kinds:
	- Pod
	namespaceSelector:
	matchLabels:
	example.com/match: "true"
	operations:
	- CREATE
	exclude:
	any:
	- resources:
	annotations:
	example.com/nodepool-selector-affinites: "true"
	preconditions:
	and:
	- key: "{{ request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms \|\| '' }}"
	operator: NotEquals
	value: ""
	- key: example.com/nodepool
	operator: AnyNotIn
	value: "{{ request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[].matchExpressions[].key \|\| [] }}"
	mutate:
	foreach:
	- list: "request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms"
	patchesJson6902: \|-
	- op: add
	path: "/metadata/annotations/example.com~1nodepool-selector-affinites"
	value: "true"
	- path: "/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/{{elementIndex}}/matchExpressions/-"
	op: add
	value:
	key: example.com/nodepool
	operator: In
	values:
	- '{{ request.object.metadata.annotations."example.com/nodepool" }}'