We have a third-party component we install in our cluster, which (after a series of hoops irrelevant to this question have been jumped through) creates StatefulSets. These StatefulSets are configured with manifests bundled with the product, which we have no control over.
By default, these StatefulSets include a sidecar container which we don't want to run. I'm trying to figure out how to create a Gatekeeper webhook configuration that will mutate the pods created by this StatefulSet and remove the sidecar, but I can't figure out the specifics of how to set that up. I think what I need is a ModifySet, but the documentation doesn't quite cover this use case.
I tried the following configuration
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: ModifySet
metadata:
name: first-attempt
spec:
applyTo:
- groups: ['']
versions: ['v1']
kinds: ['Pod']
match:
scope: Namespaced
namespaces:
- testing-mutating-webhooks
kinds:
- kinds:
- Pod
location: 'spec.containers[name: sidecar]'
parameters:
operation: prune
but that failed to apply with an error final node in a modifyset location cannot be a keyed list. So, then I tried changing location to just spec.containers, but then it's not clear to me what to put in parameters.value in order to make it delete the element specified by name: sidecar.
I realize this might also be possible using a plain Assign mutation, but then I can't instead figure out what to set parameters.assign.value to - even if I explicitly set it to null, applying it to the cluster fails with an error that I must set value, fromMetadata or externalData (i.e. it does not understand I'm trying to unset the value).
Is it possible to use Gatekeeper mutations to remove a container from a pod? How?