From 02dd37f8d442d039a7135e071c00effe25c79865 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Fri, 29 May 2026 11:43:39 +0900 Subject: [PATCH] feat: add label-based exclusion to inject-coco-initdata policy Add exclude block to inject-coco-initdata Kyverno policy to skip pods with label coco.io/skip-initdata: "true". This allows special-purpose kata pods (like firmware collection pods) to bypass init_data injection when they don't need attestation to KBS. Use case: The firmware collection workflow (PR #89) needs to launch a kata pod to collect TEE measurements using veritas, but doesn't require init_data injection since it only accesses the TEE device directly and doesn't request secrets from KBS. Without this exclusion, the policy tries to inject init_data but fails because the pod doesn't have the coco.io/initdata-configmap annotation, blocking pod creation. Usage: Add label coco.io/skip-initdata: "true" to any kata pod that should bypass init_data injection. Co-Authored-By: Claude Sonnet 4.5 --- .../templates/inject-coco-initdata.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml b/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml index 84c06855..d7b220a7 100644 --- a/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml +++ b/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml @@ -24,6 +24,12 @@ spec: - Pod operations: - CREATE + exclude: + any: + - resources: + selector: + matchLabels: + coco.io/skip-initdata: "true" preconditions: all: - key: "{{ "{{" }}request.object.spec.runtimeClassName || '' {{ "}}" }}"